Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Games Entertainment

Verant Backs Down On Drive-Scanning 207

fastpage writes, "Verant, the people who bring you Everquest, are backing down on scanning users' computers for anything they want to prevent cheating." Read the CNET story. "I guess getting Web sites shut down to prevent the distribution of ShowEQ wasn't enough."
This discussion has been archived. No new comments can be posted.

Verant Backs Down On Drive-Scanning

Comments Filter:
  • I am repeatedly amazed that people seem to think wide open access and wide open execution is a natural and unavoidable byproduct of having an OS that works at all.

    Why not complain a little about not having an OS that will let you control things better, and do it easily, with safe defaults? Nobody should be able to "scan your HD" without your telling the OS to allow it, nor any other i/o or activity. It should not be a matter of nice companies refraining from doing it. It should be your absolute choice, enforced by an adequate OS.

    Why not design the OS and installation procedures so that admin privileges aren't needed when they're not *really* needed? Why not make it easy to execute games and untrusted whatnot in an OS-provided sand box/quarantine/jail with something better than on/off resource usage/access privileges?

    You can probably configure NT to do that, but how long will it take you find the information and get from the default installation state to something you can believe is safe? (And since NT is closed, you have to believe what MS tells you about it, or be left wondering).

    You can probably configure BSD to be about as safe as you can get, and maybe Linux too, but even in those the defaults are not as tight as they could be (how would you configure an account that you could log into as "gamer" to play something you didn't trust, and whose side activities you wanted to monitor? Easy if you know how? How about automating optional creation of such accounts, so all you had to worry about was choosing a password, instead of learning about groups or policies or other soporifics, when all you want to do is play safely).

    Also, in general it seems that OS design does not yet deal very well with the difference between trusting someone technically with root privileges and trusting someone with business/personal information.

    My .02USD. Gotta go.

  • by Anonymous Coward
    The real problem is that they got caught scanning people's computers BEFORE they made this announcement. The announcement was just their spin doctoring of the issue after the fact.
  • by Anonymous Coward
    You make some good points, mainly the key one. Unless you're the NSA, NIST, or international standards organisation, you NEVER NEVER NEVER NEVER implement your own crypto. You aren't smart enough, and it's gonna get broken. (CSS, anyone?)

    Anyway, I do take issue with your statement:
    "(Moral of the story, folks: Possession of a public key authenticates NOTHING.)"

    I dunno what cryptosystem you're talking about here, but this, in general, is not true... think about Diffie-Hellman signatures - you sign with a public key and verify with a private.

    Of course, maybe you just meant that if your (private, symmetric) key is public, then you have no security. Which I think most 6th graders would realize - leave the key in the door, and you're screwed.

  • by Anonymous Coward
    Verant's "poll": About as loaded as you could get in terms of questions. As far as I'm concerned, the 83% figure is being held up as an attempt to show what ethical and reasonable people Verant Interactive can be. Of course they're ethical and reasonable now that they have the legal boilerplate justification to snoop on you anyway.

    Data stream "encyption": There is a vast difference between merely masking data with a simple XOR and actually encrypting the stream. Do not confuse the two. Encryption in this case would be generally useless without an authentication scheme as well. For obvious reasons, Verant can't actually use decent encryption. However, they can play around and frequently shift masks via patches (as little as it has helped them so far).

    The EULA has been changed to the point that if you want to keep receiving services (playing EQ) you consent to whatever snooping Verant deems appropriate to halt gameplay that is not "in the spirit of the game". Verant already has your genitalia in a tight little grip, so they can be as maganamious as they want to be. Go ahead and get indignant - they have your name, address, credit card number and also the capability to scan your tasklist and see what's running.

    And as for online games using various tricks to get around latency: you simply cannot get around the fact that extra data must be supplied to the client. John Carmack had a very long and informative .plan once about this, and in a perfect world with sub-50 pings it would be possible to Not Trust The Client. As it is however, the reality of latency requires that some prediction must be left up to the client in order to keep the performance that online games have had so far. As a result, no online realtime game is safe from the 'extra-data' hack. EQ is no different than the rest in this regard, but they do send an absolute shitload of extraneous data.
  • by Anonymous Coward
    WE should give Slashdot credit for consistently demonstrating that Linux just isn't ready for real world server use.

    Seriously, moderate me down all you want, but WHAT happened? You can tell us, CmdrTaco.

  • Oh, yes, of course.. three!

    *holy music*

    :)
  • then the holy music :)
  • First, lets acknowledge that there are at least two kinds of online games, those that require mouse precision and those that don't. Quake and all other 3D shooters require precision, Starcraft, Ultima online, and others do not.

    For non-precision games, its pretty clear how to keep them from cheating, as their cheats are all about information. Don't send them anything you don't want them to know, and don't depend on any of their calculations.

    For the precision games, I think the key is to stay ahead of the encryption curve. If you can generate keys (and patch them in) faster than the l33t h4x0rs can crack them, then you're secure. Fall behind just once, and you have problems. Its a heck of a problem to send a key to a cracked client without the cracker getting it.

    Zipwow
  • But the scariest thing is: when they polled 15,000 of their users, 83% agreed to let Verant search their HD as a precondition of playing the game!!!

    Ask them to show you the poll, the questions and the possible answers, as well as the point spread. Maybe the question was worded in a way such that it tries to avoid the possibility of privacy infringement. Even if a company doesn't give my info to private parties, I don't want companies using my checking computer resources to suit their internal purposes.

    Besides, what vested interest does a gaming company have to actively stomp out cheats like this? Persuing legal action against cheat software costs money. Does it cost more money than fixing the bugs in their own software?

    I am also curious what they do to think that they can change the licencing whenever they want without telling you. At least that's my impression.

    Note, I've never played this game. Now I'm glad I don't.
  • Though I work on it no longer, when UOX was first GPL'ed, I became involved and coded a huge amount of stuff for it.

    Yes, OSI's official UO servers have about 6 or 7 subservers (about to double, as they double the world) controlling specific pieces of the map.

    The key difference between UO and EQ here is that EQ sends you position info for everything in your zone. UO sends you position info for all dynamic objects within about 20 tiles (for mobiles and dynamic items) and about 32 tiles (for multis (aka houses)). As almost all of that fits on screen, the advantage to looking at the information before it appears on screen is virtually zero.

    As for the protocol, I've studied it in quite a bit of detail and have worked out all but a few parts which are simply uninteresting (to me) now. The few things which were present originally that would give an advantage have been removed. Examples: The server used to send information about people who were hidden / invisible (no longer). The server used to send the exact hp/max hp info for character (gone, now it sends max hp as 25, and hp scaled to that range).

    Of course, they still have insanely inefficient messages present. For example, if you press the help button, the client sends a message that is an identifier byte, followed by 256 null bytes. (That's unimportant because it's used infrequently, you say? Take a look at how much is sent any time a character other than yourself walks / moves on your screen. A bunch of stuff that isn't likely to change every step...)

    Yes, the key is to do everything important server side.

    There was a linux version of UO. It simply isn't updated frequently. It's currently too old a version to use... It may be updated at some point though. :)

    Jerrith (AR Schleicher)
    ars@iag.net
  • I feel that "Matt Burch Everquest Junkie" is totally right. Look at what happened with Diablo? Why would you want to play that game online when you can easily download a trainer that alters Diablo's memory space and makes your character a god?

    The thing that I love about everquest is that your character becomes more and more "powerful". You can be began to possess items that are more rare and vauluable.

    Its the same thing that appealed to me with Zelda and Rygar on the Nintendo, except now there is the whole teamwork and social aspect thrown in.

    There are items in the game that are worth hundreds of dollars on eBAY. It's a game. I play it to enjoy it, and when I stop enjoying it I put it down for a couple of days.

    People who take advantage of the game (and people like me who aren't cheating or farming the items) will just ruin it for us. Verant, Sony, and Everquest are commercial entities. They exist to make money, and this was an economic decision and still is. If I, like many others, cease to have fun with the game because of this, I will stop playing, and Verant will stop getting our money.

    I was one of the 83% who agreed with the scanning. I don't run ShowEQ, and I never would. I'm proud of what of I have in the game, that I have earned it, and I didn't get things by cheating or having them given to me.
  • The Verant Management has maintained a very open line of communication with their customer base,
    Really? They had an "April Fools" joke recently which cause an outrage from its customers, mainly because they didn't TRUST Verant that it was a joke.
    The april fools joke was another case where people were hacking the software.

    There is an Everquest server called Test where they make all of there modifications before patching the on the live servers. From what I understand, on this server, they have the spells for next ten levels of the game that will be available once they release the expansion pack called Ruins of Kunark.

    The JOKE was that they nerfed (massively weakened) a major spell for every casting class. Now the spells they nerfed were not actually available in the game. The only way you would know they had changed was if you were hacking the program files.

    The average player didn't know (or care) about the joke until it was well over with.

    I think you have overheard generalizations from the discussion boards and made a hasty uninformed decision. The Verant Everquest boards lack moderation, unlike Slashdot - Thank god!, and are filled with people trolling and being jackasses.

  • Ok, got me there.

    I play on a production server and I misread/misunderstood the posts on the verant board.

    However, unless I am mistaken this time around, there are only a couple of hundred people playing on the test server at a time and it is with the understand that your character can be deleted at anytime, or other nasty things may happen.

    Thanks for correcting me on that =)
  • You should be ashamed of yourself for having so little concern about your own privacy. Since you have no problem allowing Verant to search your hard drive remotely, lets see how far you will go...
    It's a game and it's the least of my worries as far as violating my privacy.

    I'm more worried about my bank, college, prior places of employment, electric company, gas company, ad naseum ... and the people who work there having access to my Social Security number and other personal information.

    First of all they were scanning or talking about scanning my computer's memory, and I don't really care if they know that I am running ActiveSync or Norton's Antivirus.

    Would you allow them to search through a record of your recent purchases (looking for hacking-related products)?
    Amazon.com already does this to me. I get email from them when an author has published something new, and I have purchased a book of their's in the past. My recommended books get screwed up because I've bought presents for my nieces and nephews.

    As for the rest of what you said....

    Would you agree to allow Verant to send people to search your computer in person?

    Would you allow them to search your home for books and tools related to reverse engineering?

    The scary thing is not that I would let them into my house, but that I may not have a choice. If they could convince a judge that I was breaking a law and come in with federal agents and warrant, how do I stop that? If there is something on my computer that I don't want someone else to see, I encrypt it. I doubt that would stop the government tho, especially after reading what's-his-names-book on the NSA.
    Silly, you say, but once you start down that path, you can say goodbye to any privacy you think you have.
    Absolutely! ... but we've already started down that path, and I've already said goodbye to my privacy after some of the horrible things i've seen with my own eyes concerning other peoples credit card numbers and social security numbers.

    All we can do is hope democracy keeps it all in check.

  • [crazed look in her eyes]

    Mock not the masters of our existence, they who have granted us this miraculous game! There are those who say they suck our essence, our very lives through this "game" of theirs, but we are willing servants to our lords!

    [glares at the clock over her desk]

    Move on, foul demon! Strike the five o'clock hour and free me from my torment! I am due in Lake Rathetear to deal with some giant skeletons, and will not take kindly to being delayed.

    ------------------

    I'm one of those people who answered "no" to the question about drive scanning. I understand their motivation and have no problem with that, but their current hack-detection does not always work as planned - it concerns me when they automate banning of players, especially since there is no standard procedure for contesting a ban.

    I'm also a die-hard evercrack junkie, and I think that the game (while having occasional flaws) is the best thing I've ever played on my computer. It was made by gamers to be what they wanted it to be... and they did an excellent job of it. As far as I'm concerned, it keeps improving. I think the idea of drive-scanning was a mistake, and I'm glad they decided against it. Frankly, they seem to be reasonable people who actually do listen to their player-base (no matter how much people whine that they don't) - and I have a lot of respect for them.

    Leilah

    (Taerma D'Estain, 26th Erudite Paladin of Quellious, serving the Blade of Enric [tsx.org], Brell Serilis [brellserilis.net])

  • Argh. It's this "If I'm not doing anything wrong, what do I have to hide" attitude that is giving companies and governments more and more control over our privacy every day. Let me state for the record, and put it in bold so everyone can read it:

    ANY COMPANY THAT WOULD EVEN THINK ABOUT SCANNING THEIR USERS' PROCESS LIST, REGISTRY OR HARD DRIVE, FOR ANY REASON WHATSOEVER, DESERVES TO GET TRASHED IN THE COURT OF PUBLIC OPINION.

    This is a totally unacceptable solution to a problem that the game programmers brought upon themselves. If they weren't sending information that would give players an edge, they wouldnt have to worry about people "sniffing" it.

    Violating a user's privacy is not an acceptable way to make up for incompetant coders.
    ________________________________
  • I heard the same report. The program was called MyZack (or something that sounds the same - this was radio, so I couldn't tell), and the guy explaining it was none other than Richard M. Smith. He's the privacy guru from Phar Lap who (among other things) exposed the Microsoft Word document IDs and the RealJukebox user information collecting.

  • Even more history...

    Circa 1983-84, the Minnesota Educational Computing Consortium timesharing system running on a CDC Cyber machine had several interactive applications, including a persistant, multi-user RPG called Milieu and an interactive 'chat' system called XTalk.

    While not the internet, it often supported 70-80 users from all over the state simultaneously. Back then, "cheating" consisted of managing to get access to a 120cps dialin account or being lucky enough to have a terminal with programmable function keys so that you could hit F1 and send a spell instead of having to type it.

    Written entirely in Pascal, with perhaps some Compass glue, it was later ported as a science project to a Sage IV microcomputer as a high school project, and a VAX 11/780 at 3M's Science Research Labs where it lived a brief life as

    I seem to remember variants appearing on local multiuser BBSs in the late 80s.

  • Reading between the lines, it seems to infer that the user configuration is all stored on the client machine. Wouldn't it be reasonable to store a checksum/hash of the client config each time they log off, and compare this when they log back in? If anyone has modified their characters, it should be feasible to kick them until they rollback their modifications. Or are the servers just incapable of determining what is happening to any character and leaving all the info on the client?
  • the lack of honor that makes these persons fell it necessary to cheat. I love competition in nearly any form that I can get it. You don't play games to win ... you play them to compete. I hate losing as much as the next guy ... probably more so, but to know that I put forth an effort that wasn't enough, allows me to become better at the game, teaches me my weaknesses and makes me better as a person. There is an ecstasy, a euphoria that stems from overcoming an obstacle that is difficult in overcoming within the rules of the contest.
    During a track meet, the race is to the finish line, along a specified path. They do not give the prize to the runner that takes a shortcut, that wasn't the contest. If you win by modifying an online game, what did you win? Certainly not the game everyone else was playing.
    For those that say that the disparity in hardware and ping configurations force some to hack a game to get a "level playing field" I reply "NO!". I offer you an example. I play rugby. I am slow. My 350 pounds does not move as quickly as some(any) of the lighter players. In order for me to be a factor, I have to work harder. It means that when not playing the game, I must attempt to get faster. I cannot simply make the referee have everyone jog at my pace. What kind of game is that? Take away someone's advantage so that I can do better. It is more satisfying to find their weakness and exploit it and any and every opportunity that I can, as they run around me when afforded the chance, so must I drive them into the ground when I tackle them. For online gaming ... the same. I have played with 14.4 modems and now ADSL. When my roommate doesn't pay the phone bill, I use a wireless modem and play on that poor connection. I adapt to my connection and play the best that I can. That is where the fun is.

    I do not agree with companies policing hard disks, or processes, but would like to see some kind of referee system that makes sure all of the rules are abided to. It would be real nice if online games were like playground sports, where rules were agreed upon and no officiating was necessary because if a rule was broken it was well known and most of the time a result of bad luck on a hard play. If there is a disagreement, the dispute is settled quickly.

  • wow, I didn't realize questioning the ultimate power of money was flamebait.
    Though I didn't moderate your post, posting a critism without supporting comments tends not to be useful. That might be enough to consider it flamebait. Critism in itself shouldn't be considered Flamebait or a Troll as long as it you support it with why you feel that way or whatever is needed to support your point. Then it's adding to the discussion.
  • Ooops that might turn you into a karma whore ;-)
  • I'd say that was a pretty valid argument, wouldn't you?

    No, I wouldn't. They were implementing a change in policy that would affect users. They fact that some other users have already left is irrelevent, they were checking their userbase to see if they minded the intrusion. Regardless of what you, or the AC (BTW, my previous reference to AC was Asheron's Call, not Anonymous Coward), or even I think about the outcome, they asked the question to those that would be affected by the change. It was the contention that this was the wrong set of people to ask, and I have to ask, if not the people affected, then who should be asked?


    -- Keith Moore
  • Just to be fair, Verant did a poll of their users, and 85% said they had no problem with the scan. (Probably, like me they don't want Everquest to become the next Diablo, where 95% of the players are cheaters, and the game becomes unplayable).

    DESPITE this, they backed down, and the CTO put a letter on the eqnews that stated that it's just not a good idea, they made a mistake and were overzealous in protecting against cheaters.

    I'm just waiting for the expansion pack, and could care less.... more EverCrack, more, MORE, MORE!!!! (Asheron's... shiver).

    -- Keith Moore
  • Over 80 people have been banned from EverCrack due to being caught based on logging. (too much dmg done, etc). This has kept the cheating to almost nil at this point, and will probably continue to do so. This new breed of cheaters are extracting information out of the datafiles to gather extra information that is normally impossible to get, and using that information to gain advantages over other players. These are generally people who just aren't good enough to play normally.

    They have a lot of anti-cheating code (the patch program DOES monitor their own executable and data files), and I'm very glad that they have succeeded. I have been able to play for over 8 months without having a problem with cheaters, unlike Diablo, and Quake, and others.

    When you logon to EverCrack you automatically get the latest version of the software, and optionally any new zones which have come out. (you just can't go there until you download it, but you can download it at your leasure during the day while you sleep, getting ready to play again that night. hehe).


    -- Keith Moore
  • Let me get this straight. The USERS of EverCrack, the only ones affected by the scan, are not the proper group to poll? Who should we ask? AC Users? They aren't affected, People who don't play games? They aren't affected by the ECrack scan. Hmm.... how is it irrelavent?

    They were changing the future EULA, and EverCrack has been very forward about telling us of any changes to the software, including warning us about this proposed change. Quite honestly, if MS had come up with this idea, they would have just implemented it, not open it for discussion. (MS Update anyone?).

    -- Keith Moore
  • Before you go completely crazy, you better realize that some things happen just because they are using some of the internet libraries from MS. Their code is a bit brute-force at times, and checks internet-related things even if you didn't code anything in to do it.

    -- Keith Moore
  • If you played Diablo you would know. Once there are a few cheaters, some of the legit players start leaving, after a while, the majority are cheaters, and you can't play the game as a standard player without dieing a lot. (True, PvP is an option on EQ, but what if there was a hack around that?)

    Also, what if you are trying to get a rare spawn, he finally spawns and some cheater casts a single spell doing 15000 dmg, and takes the item you were waiting for? Verant has done a lot to protect against KSing, but that all that code would be useless at that point. Not to mention the cheaters will really screw up the spawn rates.

    -- Keith Moore
  • Unless, of course someone who doesn't like you makes an anonymous call to child protective services, or the ATF. Then you're just screwed.


    -- Keith Moore
  • Okay, I'm an EQ player, (soon to be going into a 12-step program no doubt) and I can tell you that I think Verant was justified in their move to prevent this. Being a player in a zone with the arrogant "k3wl d00dz" is just plain *annoying*. It's bad enough when they shout their drek to the zone and harass people just to prove they are "133t". Having to deal with them "0wning" the zone by knowing the locations of spawns, hitpoints, and experience would be unbearable.

    Now don't get me wrong. I *DO NOT* want Verant to do a nice slow scan of my hard drive to find all of my nice security utilities. But looking at my task list before I log on? They should let us know that they're doing it (in a dialog or something) and give us a chance to log off first, but overall I'm fine with that. Hell, I'll email em my task list if they want. If I can actually sit down after work for a few hours and enjoy my latest addiction without being harassed by teenagers with inferiority complexes, I'll give em my measurements and shoe size for Pete's sake.

    The issue here is *NOT* that I want Big Brother snooping everywhere. Down with the RIAA, MPAA, UCITA, and all the other acronyms! The issue is simply that it's just a game. A game that *I* (along with just about every other customer of Verant) want to sit and enjoy in peace. We signed a contract. We're paying for this. We should get to have fun. That's key.

    -Militant Elf (A PFY for a BOFH)
    andrew-galvan@sos.uiowa.edu
    (remove the sos for deliverable mail)

  • Because... Consumer = Citizen = The majority.
    "Corporations" and other 'legal entities' are secondary to the Citizen (or at least, should be).

    People do not exist to do what companies want, companies exist to do what people want.
  • Invading your privacy to catch the occaisional cheater is OK ??

    What was it that an old German preacher said ??

    "First they came for the Communists, but I wasn't a Communist, and said nothing.

    Then they came for the Trade Unionists, but I wasn't a Trade Unionist, and said nothing.

    By the time they came for me, there was nobody left to say anything. . . "

  • Please educate yourself before you start spewing Verant falsehoods:

    the entire thread is at:

    http://www.hackersquest.gomp.ch/ubb/Forum1/HTML/ 000347.html

    here is an exceprt from the lead post by "orionX"...

    I have a program that monitors all file disk activity done through the windows kernel. When I read the new patch message, this peaked my curiosity and had to check what EQ was doing. They going to scan me, I'm going to see what, well some of it anyway

    Heres some odd lines.. I don't know much about this sort of thing, but maybe the more experienced can make something out of it. Of course it just might be crap that I'm making a big deal over when its nothing, but here goes

    I added a * and how many lines I saw in a row for the certain command for when I saw many of the same line in a row. I did this so I didn't spam as much as I already am =)

    Note: Some of the offsets/lengths changed for each of the consecutive read/seek commands but i didn't post the differences.

    Eqgame FindOpen D:\EVERQUEST\MEMORY.TXT NOTFOUND
    Eqgame Delete D:\EVERQUEST\MEMORY.TXT NOTFOUND

    eq trying to dump memory contents to a text file then delete it? no biggie here if it is

    Here comes the stuff that made me decide to post...

    Eqgame Attributes C:\WINDOWS\TEMPORARY INTERNET FILES SUCCESS GetAttributes *4 lines of this

    Eqgame Attributes C:\WINDOWS\TEMPORARY INTERNET FILES\DESKTOP.INI SUCCESS GetAttributes

    Eqgame Attributes C:\WINDOWS\COOKIES SUCCESS GetAttributes *2 lines

    Eqgame Attributes C:\WINDOWS\HISTORY SUCCESS GetAttributes *5 lines

    Eqgame Attributes C:\WINDOWS\HISTORY\DESKTOP.INI SUCCESS GetAttributes

    Eqgame Attributes C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5 SUCCESS GetAttributes

    Eqgame Attributes C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5 SUCCESS GetAttributes *3 lines

    Eqgame Open C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT SUCCESS CREATENEW OPENEXISTING READWRITE DENYNONE

    Eqgame Seek C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT SUCCESS Beginning Offset: 0 / New offset: 0 *3 lines

    Eqgame Close C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT SUCCESS CLOSE_FINAL

    Eqgame Open C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT SUCCESS CREATENEW OPENEXISTING READWRITE DENYNONE

    Eqgame Seek C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT SUCCESS Beginning Offset: 0 / New offset: 0 *3 lines

    Eqgame Attributes C:\WINDOWS\COOKIES SUCCESS GetAttributes

    Eqgame Attributes C:\WINDOWS\COOKIES SUCCESS GetAttributes *3 lines

    Eqgame Open C:\WINDOWS\COOKIES\INDEX.DAT SUCCESS CREATENEW OPENEXISTING READWRITE DENYNONE

    Eqgame Attributes C:\WINDOWS\COOKIES\INDEX.DAT SUCCESS Set Modify

    Eqgame Seek C:\WINDOWS\COOKIES\INDEX.DAT SUCCESS Beginning Offset: 0 / New offset: 0 *3 lines

    Eqgame Close C:\WINDOWS\COOKIES\INDEX.DAT SUCCESS CLOSE_FINAL

    Eqgame Open C:\WINDOWS\COOKIES\INDEX.DAT SUCCESS CREATENEW OPENEXISTING READWRITE ENYNONE

    Eqgame Attributes C:\WINDOWS\HISTORY\HISTORY.IE5 SUCCESS GetAttributes *3 lines

    Eqgame Open C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT SUCCESS CREATENEW OPENEXISTING READWRITE DENYNONE

    Eqgame Attributes C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT SUCCESS Set Modify

    Eqgame Seek C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT SUCCESS Beginning Offset: 0 / New offset: 0 *3 lines

    Eqgame Close C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT SUCCESS CLOSE_FINAL

    Eqgame Open C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT SUCCESS CREATENEW OPENEXISTING READWRITE DENYNONE

    Eqgame Seek C:\WINDOWS\HISTORY\HISTORY.IE5 INDEX.DAT SUCCESS Beginning Offset: 0 / New offset: 0 *3 lines

    Eqgame Read C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT SUCCESS Offset: 0 Length: 0 **20 LINES!!!

    Eqgame Attributes C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5 SUCCESS GetAttributes *3 lines

    Eqgame Attributes C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\DESKTOP.INI SUCCESS GetAttributes

    Eqgame Attributes C:\WINDOWS\HISTORY\HISTORY.IE5 SUCCESS GetAttributes *3 lines

    Eqgame Attributes C:\WINDOWS\HISTORY\HISTORY.IE5\DESKTOP.INI SUCCESS GetAttributes

    Eqgame Seek C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT SUCCESS Beginning Offset: 0 / New offset: 0 *9 lines

    then RIGHT after those

    Eqgame Read C:\WINDOWS\SYSTEM\RASAPI32.DLL SUCCESS Offset: 131072 Length: 4096 *2 lines

    Eqgame Read C:\WINDOWS\SYSTEM\TAPI32.DLL SUCCESS Offset: 106496 Length: 4096 - 2 lines

    then randomly later on I keep seeing 3 lines of this here and there:

    Eqgame Seek C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT SUCCESS Beginning Offset: 0 / New offset: 0

    EQ reading internet history and cookie files?! Whats up with that? If theres some useful info for an Internet game in the history/cookie folders then say it here, however tiny.. I dont want to start something huge, because this might mean nothng.

    I use microslop IE explorer 5 if you didn't notice. Didn't try this with netscrape yet.

    I started the file monitor right before I clicked the EULA agree button.

  • But now these online ignroant lumps give all that up because they have no values other than "get me my next l33t level in this game".

    What kind of bullshit is this??? What you're doing is equating allowing a person into my house with allowing the [three letter agency of choice here] to install wire taps and surveilance cameras in the same?

    I'm as much for privacy as the next guy, but you're committing the typical 'slippery slope' logical fallacy of assuming that innocent action A will lead to dubious action B will lead to totalitarian mind-control facist government state Z at some point in the future. There are costs and benefits associated with every action, and in some cases the benefits outweigh the costs, depending. Online gaming is a great source of pleasure for a lot of people, providing fun and entertainment... if some fuckwit script kiddie downloads some tool that gives him unfair advantages over the rest of the online gaming community, this diminishes the sense of accomplishment for all the players that spent lots of time building up their characters through hard work and perseverance, which could in turn cause them to stop playing/let others know it's not a good game, which in turn again affects the bottom line of the company which looks at players as an income stream. The players were asked about this and a large majority agreed with the company. Just because I have the constitutional right to bear arms doesn't mean I have to go out and buy myself a 12-gauge or whatever, it's my decision whether or not I need to exercise those rights, and the same applies in this situation.

    Having said that, I also have to note that this was probably not the ideal situation, and that something more akin to provding a more secure client/server channel would be a more optimal solution to the problem and hopefully one that will be given considertion by Verant. The problem is that as long as the 'cheating' remains unaddressed, the customers will be less satisfied and demand solutions, and implementing a secure communications protocol, including testing and debugging and optimization takes time, time during which there will be much bitching and moaning.

    Anyways, to summarize, don't equate something petty like this with the End of Freedom In America, save your ire for something that's actually worth getting upset about.

    ----
    Dave
    Purity Of Essence
  • by Anonymous Coward
    But Slashdot was cracked, would they tell us anymore? Most cracked companies often meet crackers demands rather than risk the public knowing they were cracked. Now that Slashdot is within Andover.net, there's the stockholders interests to consider first. The truth be damned.
  • by Anonymous Coward
    As an avid player of Everquest, I think Verant are justified in searching player's hard disks for hacking tools. People who do not have the hacking tools have nothing to hide, and the idiots who do possess these hacking tools deserve to be banned from playing the game.

    There's a time and a place for hysteria over invasions of privacy, but this isn't it folks. Verant were simply trying to prevent idiots and script kiddies from spoiling the game for legitimate players. Because of knee-jerk reactions from online-privacy zealots, the online game is going to be ruined for everyone.

  • by Anonymous Coward
    They were not scanning peoples hard drives, email, cookies etc. What they were doing was looking to see if you were running a process that they could ID as a hack program. While I am not entirely comfortable with that I must admit that given the state of the art it is the only way to curb blatant cheating. Cheating ruins most any game, but many insist on cheating and ruining others fun. If you don't mind people cheating I will be happy to play a little poker with you. With my special glasses and marked deck. Or if you wan to play monopoly I get to be banker.
  • You just have to make the right decisions on what you're sending that client. To quote Designer Dragon (original lead designer of Ultima Online): "Never put anything in the client. The client is in the hands of the enemy."

    Zipwow's first corollary to that: "Never send anything to the client that you don't want them to know."

    Why is the server sending the mob's hp and level to the client? If you're willing to spend the processes for it, you could also not send mob information about mobs that aren't currently visible to the client.

    Its a harder job, but its possible, and it keeps you honest.
  • > but as much as /. likes to bash Microsoft, at
    > least MS can be assured to have considered
    > cryptographic protections.

    > Sure, they rejected 'em, but still

    Cheap shot. (Yeah, I'm responding to my own post. I'm that wrong.)

    Microsoft actually has done quite a bit of work with their Authenticode system giving people a means of digitally verify their code, with a CA(Certificate Authority) backing up that signature. The keys are "only" 512 bit RSA, but that *will* stop the script kiddies.

    I guess I was just expressing my annoyance that nothing's been done to handle login scripts--I've got to worry about every single desktop on campus going down to a single eight character password on our IT director's desktop because of it. Really, when it comes to validating executable content, MS has done quite a bit of good work in this regard that hasn't particularly been matched elsewhere(is there a way to sign ELF files in-band? What about RPMs, with a CA?)

    Gotta remember, MS may have its technical flaws, but they do pull off some good stuff. It's their business department that's evil :-)

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com
  • > I dunno what cryptosystem you're talking about
    > here, but this, in general, is not true... think
    > about Diffie-Hellman signatures - you sign with
    > a public key and verify with a private.

    I'm a bit rusty on the math(and late for class!), but if x and y are made public, it's always trivial to find g^xy mod n. However, when g^xy mod n is made public, it's exceedingly difficult to find x and y.

    Incidentally, you don't have signatures with DH--El Gamel is the PK variant system.

    Yes, I KNOW I mucked up the math. But what I basically did was say, "OK, I'll keep the public key under wraps and anyone who can encode a message using it can issue a command to these n machine." Unfortunately, if you took control of one of those n machines and reversed the private EL Gamel key, you could then turn around and issue command to the other n-1 boxes.

    Critical failure. Yeouch.

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com
  • > It doesn't matter if the program is 100%
    > genuine Bogosoft code, if Bogosoft have added
    > in code to upload your netscape history file to
    > find out what you're browsing.

    > While authentication is important, much more
    > important is the ability to restrict programs
    > from doing undeseriable things. If you don't
    > want a program from sending your registration
    > information without asking, you should be able
    > to lock that up so it can't.

    This is essentially the trust assignment problem that you describe--you *do* trust a program to execute a function, but you *don't* trust it not to execute some other function. How do you isolate?

    There's been some pretty effective sandboxing tools hacked together, but Microsoft and a couple thousand Slashdotters agree: Accountability dramatically reduces abuse, be it in privacy violation or in the WAVE program(but I repeat myself).

    The concept--and it ain't a bad one--is Bogosoft won't last long under attack from a very pissed off FTC. Will ya look at that, it's an election year...

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com
  • My point exactly! (except for the load of crap comment) There are those that would call what your friend did cheating (with a negative connotation), simply because a player obtained a massive advantage due to exploiting something the creator of the game did not consider. There are those that whine "You're ruining the game for those that want to play!" They're only ruining it for the sheep. These sorts of cheaters have just as much right to play, in their own way, as everyone else does.

    Concerning inventory duplicators, etc., I still consider those innovative. Not the actual running of one that someone else created (script kiddie style). Actually hacking the binary and/or protocol and using all your skills to determine how to get what you want is just an alternative way of playing the same game.

    logan

  • When a game is so crude that all that is required to advance is to hold down a key, you'd be an idiot to actually sit there and hold down the key yourself. But a program to run on top of the client and do things for you? Brilliant! If something is so easy yet tedious to do that it's easier to write a computer program to do it, why not write a computer program to do it? That's the whole point of tools. The ethical cheater will choose the tool that will best get the job done.

    Your analogy to a football game is a poor one. Football is more of a test of athletic ability than mental ability. The shotgun is a physical threat and action that allows one to bypass one's opponents. I suppose my cheating rhetoric only applies to less athletic games, I suppose. A good cheat is the application of mental skill to bypass arbitrary obstacles imposed by the structure of the game itself, not your opponents.

    logan

  • It's the second major-market title in the MMORPG genre started by Ultima Online.

    I know this is tangential to the topic at hand, but neither Ultima Online nor Everquest "started" the MMORPG genre. They aren't even the first graphical MMORPGs.

    Between 1993 and 1997, subscribers to online giant CIS and a little online system called AOL could play a text based, for profit, fantasy MMORPG called Gemstone III [gemstone.net]. After going flat-rate, AOL dumped it because far too many users connected for far too long to play Gemstone. Now Gemstone III players get along quite happily connecting directly via the internet. As far as I know, these were the first for-fee MMORPGs employing "gamemasters" to maintain the code, servers, and portray NPCs for the players. But there could have been even earlier ones, considering all the MU*s and MO*s out there... However, it was definitely the first to hit 1,000 simultaneously connected players. I was there. (And I was disgusted... I started playing when 30 players online was a huge crowd.)

    Simutronics [play.net], the company who ran Gemstone, also offered several other games, all connected via gateways to several major online services. They're all still up and running, and quite fun, if you can harness enough of your imagination to abandon all the pretty graphics.

    Then there was AOL's Neverwinter Nights [gamewolf.com]. (Okay, it wasn't AOL's - they just hosted it.) I know little about this game, except it looked very similar to SSI's old Pools of Radiance series of single-player games, and it was multiplayer, and graphical... and offered no client for my platform at the time. (If someone knows more about the old NWN, please chime in.) Of course, if you've been paying attention at all for the past 10 months, you know that NWN will soon be reborn as the first networked virtual tabletop-style roleplaying environment [bioware.com].

    Although I'm sure most players of EverQuest and Ultima Online have never heard of Gemstone or DragonRealms, and believe Neverwinter Nights is a brand-new title, the only innovations in these games are the pretty graphics, and perhaps some interesting server-side hacks... but the genre is an old one.

  • Where does it end?

    You should be ashamed of yourself for having so little concern about your own privacy. Since you have no problem allowing Verant to search your hard drive remotely, lets see how far you will go...

    Would you agree to allow Verant to send people to search your computer in person?

    Would you allow them to search your home for books and tools related to reverse engineering?

    Would you allow them to search through a record of your recent purchases (looking for hacking-related products)?

    Silly, you say, but once you start down that path, you can say goodbye to any privacy you think you have.
    ________________________________
  • And once you've gotten used to how UNREALISTIC and horribly coded it is, you'll get frustrated and decide to kill yourself in real life. Oh yeah, sign me UP!


    Bad Mojo
  • >What I'm getting at is, most people who object to ShowEQ (and the rest of the suite) and agreed to HD scanning feel so strongly about online cheating that they'll give up their HD's privacy for an equal chance at EverQuest

    And, IMHO, thats what is so scary - we are bringing up a generation that has no concept of the importance of the fundamental freedoms that they take for granted - and blithely give them up!

    Its getting so bad anymore, that Im wondering if those militia loons arent at least partly right when they start slinging around quotes like "those who would give up freedom for safety will neither achieve nor deserve either" (paraphrased from Ben Franklin, I believe).

    First its "bad things" like cigatettes, then the "war on (some) drugs", then priavte guns (ask Amadou Diallo's widow about the police guns). Now its privacy on the chopping block - how long until the freedoms of speech and expression are given up one slice at a time "for our own good" to a police state?

    Its damned scary - generations of soldiers gave up normal life to preserve those rights, civil libertarians have stood up and put thier necks out, and even hackers have contributed [by providing the tools to set information free and preserve basic anonymity --Thanks Whitfield Diffie and Phill Zimmereman!].

    But now these online ignroant lumps give all that up because they have no values other than "get me my next l33t level in this game".

    "EverCrack" indeed!
  • Heh - you want to see their "encryption/decryption" routine? Its laughable!

    their key is a 32bit unsigned int

    Their algorithm is something like the following in a semi-C layout:

    decode (uint *data, uint bufferlen, uint globalkey)

    tempKey = globalKey
    uint reg1, reg2
    uint shift1, shift2, add
    uint blen = bufferlen/sizeof(uint)

    for(int i=0; iblen, i++)
    {
    reg1 = *data
    reg1 = reg1 + tempkey
    reg2 = reg1 shift2
    reg1 = (reg2 | (reg1 shift1)) + add
    *data = reg1 // set data at this point
    reg1 = reg1 shift1
    tempkey = tempkey + reg1 + add
    data++;
    }

    Im not sure I have the sequencing right and the shifts may vary, but thats it.

    How would you break something like this?

  • wow, I didn't realize questioning the ultimate power of money was flamebait. Welcome to the post IPO /.

    --
  • ... kinda like the problem with playing Quake online... The levels are completely unimaginative, and it comes down to ping speed & hardware to decide the winner. Adding things like LIMITED weapons, ammo & powerups would require people to conserve their ammo and to play strategically, rather than switching over to rocket launcher, putting it on autorun and holding down their fire button.

    This is why I switched to playing ActionQuake instead of standard Quake II. Who needs 90% of the map to be engulfed in rocket or grenade explosions at any given time.

  • This is essentially the trust assignment problem that you describe--you *do* trust a program to execute a function, but you *don't* trust it not to execute some other function. How do you isolate?

    By effective sandboxing, data tainting and appropriate logging of actions attempted. Something which is totally missing in Microsoft products, but is available in more secure OSs, such as those which have B & A level certification.

    A few years ago, it seemed to me to be silly to have OS level protection to prevent data from being exported from the system, but as time goes on, it seems more and more reasonable. I guess in earlier times, it seemed silly to have file permissions, if you were logged onto the system you must have had the rights to access the data, right? The concept--and it ain't a bad one--is Bogosoft won't last long under attack from a very pissed off FTC. Will ya look at that, it's an election year...

    Has there ever been any action taken against any company for privacy violations except by consumer's objecting and boycotting?

    Both eTrust and the various legal bodies such as the FTC seem to be useless. If a big company wants to collect your browser habits, your hardware or anything else it feels like, then no-one seems to want to stop them except their users.

  • Microsoft actually has done quite a bit of work with their Authenticode system giving people a means of digitally verify their code, with a CA(Certificate Authority) backing up that signature. The keys are "only" 512 bit RSA, but that *will* stop the script kiddies.

    Unfortunatly, this isn't terribly useful.

    The programs which are causing problems aren't generally altered versions of authentic releases, they're features added by the authors which do things which the user doesn't want them to do.

    It doesn't matter if the program is 100% genuine Bogosoft code, if Bogosoft have added in code to upload your netscape history file to find out what you're browsing.

    While authentication is important, much more important is the ability to restrict programs from doing undeseriable things. If you don't want a program from sending your registration information without asking, you should be able to lock that up so it can't.

  • Well, I have to say that it would suck to play a game where I was getting left behind by a bunch of guys who were running cheat programs. I'm just not a real super competative person, and when I do an RPG, I like cool stories and a group of clever and cooperative people in my party, not some gugn-ho I-have-the-most-frags ego trip. Other people like competitive things and have fun backstabbing each other. If I have read my everquest FAQs correctly, (I am not playing yet till my new hardware arrives) there are servers dedicated to competitive play where bodies can be looted and so forth, and others devoted to cooperative play.

    So, why not take that a step further? Some people prize privacy above all else, while others are more interested in keeping playability and enjoyability maximized. Is there any reason that Verant can't set up some servers that scan for 'foriegn objects in the ring' and others that leave everyone on the honor system?

    That way we can decide on an individual basis wether to submit to these scans, rather than having a few privacy advocates or corporate goons dictating the One True Way to run the game. After all, no one person can always understand what I want from the gaming experience or what my privacy needs are.

    Except possibly me.
  • Yeah they messed up from the inception of the game apparently.
    If you design an online game, you can BET 3 things will happen..
    1. People will try to spoof the server with hacked packets.
    2. People will tinker with whatever files you leave on their hard drives, hoping to find a kink in the armor.
    3. People will sniff the packets you send them, hoping to glean a little extra info.

    This is BASIC stuff folks, and it sounds like they didn't even consider it from the outset. Now they're trying to cover their own inept engineering by blaming it on the players.

    All they needed to do is talk to a few MUD administrators. Any one of us could have told them that some players will do ANYTHING to gain an advantage. We deal with it by plugging the holes, not by blaming the players. Its their JOB to poke at the code to find the holes.

  • What they wanted to get stop was ShowEQ which is a basic packet sniffer to give a radar of the current game world.

    The problem is that ShowEQ is orginally programmed to run on a second Linux box with a Windows box running the EQ client/game. There is Windows version but this would not have stopped ShowEQ usage. It just would have given more advanced users a bigger unfair advantage. The change in the EULA wouldn't have helped unless they were going to scan every machine on a local lan.

    Perhaps they should have started by not send so much information in their transmissions. Its called better programming.
  • Sorry, you're a bit wrong on that. The changes actually effected people in-game: spells took longer to cast, heals didn't heal as much, and so forth.

    It wasn't just the *evil, nasty hackers* that were hit by the "april fools joke". Anyone who played on the test server was hit.
  • precentable?
    Couldn't you create say a random mirror image of a "clean" hd each time a call was made from the program to look at the hd?
  • Sounds like they need to fix the protocol - if you treat every client as potentially malicious, then the only data that client should be allowed receive or know about is data that the user would normally be allowed full access to anyway (not to mention that all data being received from the client should be checked very carefully for reasonableness).

    I guess with the slow bandwidth issues, it might turn out to be almost impossible to implement certain kinds of effects w/o some cooperative processing from the client.
  • If their management is anything like the ones where I work, I'd say it was probably a management call.

    Maybe if they port it to Linux one day (And I get my @#!@#% AGP working on my biostar athlon motherboard) I'll check it out. *shrug*

  • It's too bad that so many games like this rely on security through obscurity as to their protocols (witness the massive cheating on Quake now that it's GPLed). Which means it won't ever be possible to say, create a GPLed client for Ultima Online (at least not without destroying the game with cheaters). Of course the problems of a secure exchange protocol isn't good either (higher overhead, more complexity, etc).

    It's also too bad that people feel the need to cheat at something that's supposed to just be a game you play for fun, but that's another story, I suppose.

    But scanning peoples hard drives doesn't seem like a very good solution to me. In fact doing it for something that is, in the long run, completely trivial makes me nervous.
  • Sorry to say but I am not a 'sheep' or a 'weak and obedient ass'. Yes, I play EQ. Yes, I told them it is ok to scan the computer. Why? Because I'm smart and know how to defend myself. Because I went out into the world, learned my computer skills, and now make enough money to have a seperate computer just for game playing. Scan it all you want - you won't find any useful info there. Corporations have been trying from day one to control their customers and get as much money as they can. They use legal power to protect it. The have closed door meetings that result in less than ethical decisions. You can scream and cry all you want but it's not going away. The only way to deal with it is to go around it. And that's what I did - two computers. And don't give me some weak kneed "What about all those people that can't afford two computers? Huh?" They are on their own. I'm willing to teach people but I won't do the work for them. Suvival of the fittest. You can't change the system - learn how it works and navigate around in it.
  • You're beginning to get into the issue of cheats vs. exploits. There is a world of a difference. Your friend's boat trick was an exploit of an existing (albeit unintentional) "feature" in the system. These undocumented features happen all the time, especially in the more complex games out there. I believe that in general, as long as a game allows something, it's fair game.

    Cheats, on the other hand, involve some kind of external manipulation or modification of the game. I don't think this should be allowed, as it tends to create an uneven playing field. In the case of exploits, anyone who is clever enough to figure out the exploit (or knows about the exploit through word of mouth) can take advantage; in the case of cheats, only those who are willing to download and install the latest unauthorized hack can gain the upper hand.

    One gray area comes to mind: "cheat codes". Although cheat codes are built into the game, and might thus technically be considered exploits, I don't think they should be used -- unless all participants are aware that the codes are available and can be used, and all participants want the codes available.

    Should "cheat codes" be considered exploits or cheats? Well, consider their origin. In most cases, they are simply debugging aids that are left in the final game out of laziness -- or just for the hell of it.

    Cheat codes are intended to be used for debugging, and not during actual gameplay; they can be seen as "external" to the game itself. In this light, a "cheat code" is really nothing more than a "trainer" that happens to be conveniently built into the game. This puts cheat codes squarely in the category of "cheats". In my book, cheats are almost always something to stay away from -- if only because they tend to ruin the fun.
  • I didn't write the AC post earlier, but since you completely ignored what they wrote, I'll quote it again for you:

    "current everquest users. the users
    who dont mind having their hard
    drives being raped. the people
    who care about their privacy left
    already."

    Try reading the post next time before getting all indignant. He was simply stating that USERS who cared about privacy had left already. I'd say that was a pretty valid argument, wouldn't you?

  • Unbelievable It is absolutely unbelievable as I read most of these post that they are talking about keeping cheaters out of the game. I think the heart of the matter is that a company is wanting to scan your hard drive as a condition for installing there software. I think this is the central issue. If one company can start a trend, who will be next to try this tactic. I'll assume that we were lucky this time because the program asked if it could do the scan. Remember when Microsoft was accused of scanning a persons hard drive as part of the registration process and sending back information about their files. Consider that as part of using an mp3 player that it had to scan the pc for unlicensed songs and report the person to the RIAA?
  • I think Verant are justified in searching player's hard disks for hacking tools. People who do not have the hacking tools have nothing to hide

    No, they are not justified. I play EQ as well. I don't use the cheats and I hadn't really heard of them till this debacle. I don't know what Verant is looking for and I don't give them permission to go through my system. Would a company try to abuse my rights with this? Of course. They should make a client that makes it pretty damn hard to create a hack for. Scanning people's hard drives for cracks that are going to change all the time will do nothing.

    There's a time and a place for hysteria over invasions of privacy, but this isn't it folks. Verant were simply trying to prevent idiots and script kiddies from spoiling the game for legitimate players.

    The ends do not justify the means. I don't see the game getting ruined by cheaters. I see the game getting ruined by the fact that you are only as good as your equipment, and that there are not enough things to fight for a large number of players resulting in people waiting for hours on end for something to fight, or just logging off out of frustration.
    Molog

    So Linus, what are we doing tonight?

  • I didn't think I needed to explain that, it being quite obvious. The point I was making is that it seems to work very well and very fast in the case of online privacy. This is not necessarily the case when considering other issues such as quality of goods from certain large consumer goods and services companies.

    The reason for this is probably twofold.

    1. The community of users is much more reactive than the communities that represent consumers of other goods and services provided by major corporations, and is therefore prepared to make a loud fuss, in a semi-concerted way, and to use their buying decision collectively to hurt large corporations in the short term.

    2. There are a large number of alternative suppliers of internet-related services, and given point 1, they have noticed that they can steal market share from competitors quite fast if they can stylize themselves as the "supplier that respects your privacy".

    Another point is that companies do not exist to do what people want. Companies exist to maximize shareholder value, and in a perfect free market where Adam Smith's "Invisible hand" works as it should, that equates to supplying the goods and services in a competitive and efficient manner, such that consumers needs are satisfied to the maximum extent that they can be given limited resources. Market failure (monopoly power, certain types of goods, "non-rational" behaviour etc) means that this sometimes fails to happen, which is the economists' argument for government intervention. If companies existed solely to do what people want, we wouldn't need to call them to order like this all the time.

  • #1 They did NOT ask their entire customer base. They asked less than 10% of it and then at a time when adults were offline.

    #2 The have been far less than admirable about this. Publicly insulting people who raised privacy concerns.

    I've said it before and I'll say it again: They over reached. Instead of saying we were wrong they say "A bunch of hackers, crackers and paranoids caused us to change our mind"
  • The Quake crowd hit this problem when their client went open-source. This was discussed on Slashdot then, and that discussion covers the game design issues better.
  • Verant has stated that they routinely patch their servers and the client program to try to prevent cheat programs from working. They merely thought about scanning for certain executibles to make their job a little bit easier. They thought it over, put the question to their playerbase, listened, and agreed with the well thought-out arguments of the minority. That is what brought out Verant's about face on the issue. Figure of the 15% that voted against it, 2/3 actually responded, and half of that was not flame. That would mean that Verant chose to listen to only 5% of their playerbase and found those arguments enlightned enough to change their minds. That is how the net is suppose to work, not by mindless boycots but by intelligent conversation. BTW, I was part of the 85% that had no problem with it.
  • Some atheletes cheat by taking steroids.

    In higher level competition, their bags are examined, they give urine and sometimes blood samples.

    This isn't a violation of privacy since the atheletes are *informed* that they will be held under scrutiny.

    Obviously the comparison between professional level sports and an online game isn't perfectly natural.

    What about a user moderation feature? People who obviously abuse the system can be labelled as such. They are free to play the game, just not with people who don't want to cheat.

    Hmmm, the implementation would be difficult, and it would take a critical mass of players who moderated fairly (IE, not labelling someone a cheater just because they don't get along).

    Just my ramblings...

    Greg

  • Rather than searching the users HDDs for programs that allow you to cheat, wouldn't it be easier to either patch the servers to not allow the cheats or patch the program.

    Blizard did that alot with Starcraft and their Battle.net servers. Every time a new hack/cheat came out for Starcraft, they patched the program and any user than wanted to use their servers had to have the latest version to play online. It won't completely protect you from cheaters, but it's not an invasion of privacy...

    kwsNI

  • Yes it is just a game, and I would of dropped it in a heart beat if they went through with the scanning my HD plan.
    I just wanted to say there is , in reality, very little competition in EQ. Many people have a precieved competition, I know I did for a while. There is, rarely, any race for anything. If you don't get something today, it will be there tomorrow.
    Yes, there can be a group of people that want to be competitive with each other, and thats fine, but it doesn't effect other players.
    My point is, someone can come out with a cheat tomorrow that allowed ont ot be lvl 50(current max,kinda) have a 200 in every skill, and give them a googleplex of money. That won't effect my playing at all.
  • I would reason that most of the people who voted "yes" on that poll were more concerned about gameplay than their own privacy.

    My younger brother, who plays EQ and Asheron's Call and others, frequently belts out long rants about how irritating these "mini-hacks" are to him. He considers them cheating.

    What I'm getting at is, most people who object to ShowEQ (and the rest of the suite) and agreed to HD scanning feel so strongly about online cheating that they'll give up their HD's privacy for an equal chance at EverQuest.

    ***JUMP PAD ACTIVATION INITIATION START***
    ***TRANSPORT WHEN READY***

  • "All it does is lets you see the REAL numbers behind the game that Verant tries to hide with handwaving and frantic knees-bent running about behavior." It DOES allow the user of ShowEQ to cheat, although its users have come up with a surprising number of rationalizations to say otherwise. For example, if a rare monsters spawns across the map, you'll be the first to know. And is that tough mob holding a great piece of rare loot, or just a couple copper? It'll tell you that too. As a matter of fact, Verant has had some success banning ShowEQ users based solely on observing for their behavior. A guy who was just standing around suddenly heads off in a beeline for that newly spawned will-o-wisp that just happens to have great loot. It IS cheating-- keep that in mind, and we can attempt to have a rational discussion.
  • Quoth the poster:
    And so now, the corporations and the government want to force manufacturers to build surveillance into technology, all but eliminating another basic right of privacy.
    That's something that gets my dander up. It's not that I'm opposed to surveillance being possible per se ... there can be legitimate reasons. But it shouldn't be easy, and we shouldn't have to do the work for them.

    Example: The NSA should invest in codebreaking technology. It's part of their mandate. But we shouldn't have to hand over keys, to obviate the need for the codebreaking tech.

  • ...some companies have little or no compunction about what basically is illegal wietapping until there is a substantial base of uproar amongst those who use their product?

    For instance: yesterday on NPR [npr.org](scroll down for RA of story) there was a story on Internet privacy and it featured a new piece of software (name escapes me now) that basically configured your browser to run through a proxy server so that all your traffic could be scanned. Why this software company is still in business after effectifely instituting a wire tap (just on digital information on port 80), I don't know. Though, their EULA does mention that your traffic will be monitored, I can't believe that people actually use their software.

    This goes way beyond using cookies to track usage (hell, we have Neillson ratings for TV that do something very similar). I applaud the efforts of the userbase of Verant of taking notice and effecting change through economical means. Now, if only everyone would not use invasive products, all companies with invasive software would go out of business.

  • Those of you who don't play EQ might not be fully aware of the entire situation. You're probably relying on second hand sources for your information. Maybe these copies of original messages on this matter by Verant management will help.

    First, here's a letter from Verant CEO John Smedley regarding the new policies and security checks announced. (From EQ Vault [ign.com])

    Ok. We put the poll in, and with roughly 15,000 people participating the poll came up with 83% of the people being fine with us running the check for cheating.

    DESPITE THIS POLL we have decided that it's the wrong thing to do. Enough people have convinced us that it's chipping away a little too much at people's privacy EVEN if they do consent for us to implement this policy.

    Therefore, the change to the EULA will read as follows:

    Solely for the purpose of patching and updating the Game, you hereby grant us permission to (i) upload Game file information from the Everquest directory and (ii) download Game files to you.

    Now, before anyone wonders exactly what this is, let me explain. Technically speaking we probably should have had this language in there from day one for you to consent us to even download new game files to you in the first place. We apologize for not realizing that we should have gotten this consent, but live and learn.

    We can admit when we make mistakes, and I believe this is a case where we owe an apology to our Player base. In our haste to try and thwart people from damaging the game we went overboard.

    There will be absolutely no scanning of anyone's computer for any reason other than the normal patching process (which won't do any sort of checking on what you have running).

    Regards,

    John Smedley
    President and CEO
    Verant Interactive, Inc.

    So to summarize, Verant apologized for their planned policy even though 83% of their player base supported it because they realized it was wrong to scan their computers. They even apologized for not stating previously in their UELA that they scanned and downloaded information to their users for patching (which all online games do).

    Here's a posting from the EverQuest Message Boards [sony.com] by Gordon Wrinn, the Verant Customer Service Rep, in reply to a comment by a player.

    [In Reply To: Scanning my tasklist for hack programs is not that big of a deal and if it gets rid of the hackers anyway, I say go for it. IMO it is not an invasion of privacy to do this. I give out more information, personal information, everytime I use my credit card at the store ]

    Unfortunately it is a case where paranoia ended up winning out. I think that we could definitely have done a better job explaining what it was we were doing, and that would have lead to a bit more buy-in. Instead, some people decided to make up reports that we were scanning directory trees (false), internet files (false), internet history (false), cookies (false), and email (false), and unfortunately many people believed them.

    The general paranoia resulted from the assumption that we (meaning: our servers) were actively collecting information from your system. This simply wasn't the case. The client simply would examine a small subset of information on your system, none of it containing information personally identifiable to a third party, and only send it to our server in the event that you were "running" an illegal program at the same time you ran EQ. We had absolutely no interest in what was installed on your system, only what you were running when you connected to ours.

    I think privacy is important as well, but I don't really care about what a piece of client software is doing on my system. I only care when that piece of client software is transmitting information from my system to an outside source. In this case, the only time any data transmission was to take place was when something bad was found by the client. There was to be no server-side analysis of raw data. I'm sure that most people would agree that we do have a right to insure that our software license is being complied with.

    In any case, I guess it's water under the bridge now. I'll blame Hollywood for all of the misunderstandings.

    -Gordon

    While I don't agree with all his views, I do see where he's coming from. His viewpoint reflects the majority of EQ players.

    Hope that cleared a few things up.

    "A person reveals his character by nothing so clearly as the joke he resents."

  • Do you suppose this guy plays as a Troll on Everquest as well? ;)
  • You could compare it with an anal probe. Some people are actually into that sort of thing... I just had no idea it was %80 of 'em.
    All I know is that I'll never be able to look at the other people on the bus the same way again. :-P

    ---
    Where can the word be found, where can the word resound? Not here, there is not enough silence.
  • There are two serious issues related to this thread. The first was the poorly worded addition to the EULA. The text (not sure if it's posted elsewhere on the thread) read:

    "You hereby grant us permission to download Game-related files to you. You also grant us permission to access, extract and upload (i) Game-related data as part of the patching process and (ii) data relating to any program that we, in our reasonable discretion, determine interferes with the proper operation of EverQuest.

    Now Mr. Smedley claimed that no hard disk scanning would be done but as you can tell from the wording just about anything is fair game.

    More disturbing is Mr. Smedley's admission that scanning and reporting was already being done. Supposedly only the task list was being scanned for an unknown list of running tasks and if one or more of them were running this information was reported back to Verant. This is disturbing because it clearly violates California Penal Code (section 502). (read the law here [ca.gov])

    Given the unauthorised scanning that took place before the proposed change to the EULA (which I think we all can agree that unilateral EULA changes are probably unenforceable, moreso than EULA's in general =), it was pretty hard to believe them.

    Verant is now in a position to be pursued for criminal prosecution and is also open for civil action according to 502. It will be interesting to watch this develop further.

  • People are bandying about that 83% approval as if it means something.

    a) That's 83% of the 15,000 who logged in while the poll was up. There are 200,000 active accounts.

    b) The poll was up during the day. That means they were polling children; the adults were all at work. It's pretty safe to say that most of those polled have no real appreciation of the implications of their ''yes'' answer.

    c) The poll did not even include the proposed EULA modification; it asked if people ''were comfortable with Verant scanning users' machines to find hacking programs'' That sounds a whole lot less objectionable than what the mod proposed.

    The very fact that they even considered such a move indicates that they have Lost It Completely. The fortress mentality has taken over.

  • by Logan ( 7529 ) <logan@vt.edu> on Thursday April 06, 2000 @03:40AM (#1148350)
    Some of us approach games from a less naive point of view. Rather than seeing them as the man expects us to (heh), we see a technical challenge. Games tend to define a goal, and game developers tend to encourage a single approach to achieving that goal. Cheaters approach a game from a more open viewpoint. In this regard cheaters are the innovators. Cheaters see that there is more than one way to achieve the stated goal. It is when script kiddies of the cheating world misuse these cheats that problems occur.

    logan

  • by Stiletto ( 12066 ) on Thursday April 06, 2000 @06:34AM (#1148351)
    Hey, I blew my top :)

    Perhaps "incompetant management" would be a better description. Being part of the computer industry I've seen many cases where the engineers and coders want to do "the right thing", but management decides that they should do "the lazy thing" because it costs less or takes less time.

    Latency is a part of internet games. It is and always will be. Giving clients extra information in an attempt to hide it is just asking for trouble. In general a game client really should just be a dumb terminal, periodically receiving state updates from a server, and never being trusted. The problem of client trust is way beyond the scope of this slashdot article, but for the purposes of a game, the basic idea is that "The Client Can Never Be Trusted".

    When you assume a client is trustworthy, for whatever reason (trying to reduce the appearance of lag) you open yourself up to cheating. This is a choice Verant made when they developed the game, and one they should now accept and deal with.
    ________________________________
  • by GoofyBoy ( 44399 ) on Thursday April 06, 2000 @03:56AM (#1148352) Journal
    >The scanner in question did NOT scan registry, HD, browser history, etc.

    But the change in the EULA would allow them to do this. With no legal restrictions, no matter what they said.

    >The Verant Management has maintained a very open line of communication with their customer base,

    Really? They had an "April Fools" joke recently which cause an outrage from its customers, mainly because they didn't TRUST Verant that it was a joke.

    >a mandatory poll of the users asking them about allowing Verant to scan for cheating programs

    There was nothing mandatory about it. The poll was only created because so many people were outraged because of it.

    >(80+% agreed with the scanning).

    Which question? There were two forms of questions during the poll. The first being something like "Do you agree that Verant should stop hacking programs?" Don't you think thats a bit biased?

    >I'm at a loss to think of a better resolution to deal with people acting like scumbags.

    As I mentioned in another post, what they wanted to get rid of is ShowEQ. They can limit its functionality greatly just by not sending so much irrelevant information.
  • by Lightwarrior ( 73124 ) on Thursday April 06, 2000 @05:05AM (#1148353) Journal
    First off, 90% of any post I see related to EQ is always bashing Verant for one reason or another. I think a lot of these posts aren't warrented, and their authors aren't giving Verant a fair chance. But this is the same for any corporation / company... when anything goes wrong, or doesn't go the way they want it to, people scream and yell and say "SEE! *THIS* is capitalism at work!" You're all crazy.
    Capitalism at work is keeping your customers happy. If they're happy, they'll keep coming back to buy your product.

    When Verant annoucned they were going to scan your tasklist for cheat programs, they also put a poll in at the login screen, stating something to the nature of "Do you have a problem with Verant checking for cheat programs when you run EQ?"

    That's right - they *ask* their users for thier opinions.

    And *despite* the fact that 83% (out of 15000) responded they were fine with running a check for cheating, *Verant decided not to do it*. Why?

    Because enough people had stated they felt it was chipping too much into their privacy.

    But the worst part is that people decided to make up ways Verant was checking for these hack/cheating programs... for example, scanning directory trees (false), internet files (false), internet history (false), cookies (false), and email (false).

    What was the check suppost to do? "The client simply would examine a small subset of information on your system, none of it containing information personally identifiable to a third party, and only send it to our server in the event that you were "running" an illegal program at the same time you ran EQ." I'm assuming here "illegal program" means a program designed to give a user an advantage over other users in EQ.

    I understand some people would say this is an invasion of privacy. Some of those people are honestly worried about the continuous breach in our privacy in general. I'm willing to bet that the majority of people who cried "Foul!" were worried they wouldn't get to use thier cheat programs anymore.
    Or, they were the people who find a reason to scream "SEE! Capitalism at work! Invasion of privacy! Invasion of privacy!" when it isn't justified.

    This post is way too long already, but I've got more to say on the issue. If you disagree, or agree, post and we'll talk.

    The information I used in this post can be found at EQ Stratics [stratics.com] or The EQ Vault [eqvault.com].

    lw
  • by EXTomar ( 78739 ) on Thursday April 06, 2000 @05:42AM (#1148354)
    Is it Verant and the designers of EQ for being somewhat laxed in their design? It is one thing that the server has to tell the client where all of the dynamic objects in the world are position, it is something else to blantanly tell the client extra junk about them. There is no particular reason why the client needs to know the exact hit points of a creature. It should have been broadcast to the client as a percentage, which in the end is what the player ends up seeing. If they were really concerned about people "eavesdropping", they should have encrypted the data streams. Scanning the computer to see if hacker tools are employed is a weak attempt to stop this kind of exploit, at best, and, at worse, it is wrong.

    In another sense, Verant and EQ are trying to act in the best interest of the game. How many people will continue to play a game of Chess against a person who is blantantly cheating? EQ should probably be no different. I want them to actively keep the game from descending into a hacker's paradise.

    Is it the players are at fault for trying such junk in the first place? And please don't quote me "the players pay have a right to do what they want" because that isn't true. By agreeing to play any game, you agree to follow a certain framework of rules. If a cheater is playing someone in a game a real world Chess and the cheater is caught cheating, they really have no defense. EQ should be no different. The "neutral tool" argument doesn't really work here either(ie. 'hammer is a tool that does some good things and bad things...do we outlaw hammers?'). ShowEQ isn't a generic tool that has other applications. It was designed for one purpose and one purpose only. If ShowEQ was designed for "acedemic reason" that is one thing but I have a hard time believing so many people are interested in ShowEQ because it teaches useful programming skills.

    In another sense, players should push Verant and the EQ Architecture to the limit. The only way the game will get better is if the players push on Verant to improve it. As mentioned before, the fact that you can listen to packets flying by and find out extra information indicates a weakness in their design. It should be pointed out that one of the useful things that came out of ShowEQ is that it was shown that reduntant information was coming back from the server. Verant did take note and said they would do something about it (although I'm unclear whether or not they actually fixed it. ^_^). How can the players do this without actually figuring out how some of the game works?

    IMHO, both sides blew this way out of proportion. Verant didn't think things through when they wanted to stop players from packet listening and came up with the wrong solution. Instead of wasting time and effort into figuring out how to detect packet sniffing, they should be putting time and effort into fixing the real problem which: too much information is sent over the wire. Players blew this way out of proportion because because Verant basically said "We don't really care if you have hacking tools...just don't use them while playing EQ" but many read much more into it. If you are going to do something questionable, shady, etc. you probably shouldn't be doing it in "plain sight" (yes, on Windows 95/98, the hard disk is plain sight...everything in Windows 95/98 is in plain sight) especially after you've been warned.
  • by deefer ( 82630 ) on Thursday April 06, 2000 @03:34AM (#1148355) Homepage
    I'm glad that this company has backed down over this. But whilst their method of trying to ensure a level playing field for all was clumsy, at least they had players interests at heart. The only game I play online right now is Unreal, and when I'm getting my butt kicked every which way I have to wonder... Is that guy that just fragged me really good, or has he got a software advantage? The thing is, I don't know. How would you go about making sure that no one is cheating in an on line game? You can checksum the executable, but that can be forged. And how do you go about making sure that there are no little packet interceptors which correct your aim?
    /.ers are always willing to disregard "security through obscurity", but how would you design an open method go about this, aiming to get 100% surety that no one is cheating?

    Strong data typing is for those with weak minds.

  • by 348 ( 124012 ) on Thursday April 06, 2000 @03:32AM (#1148356) Homepage
    Doubleclick,the Feds and Verant all seem to be in the same business. Doubleclick for obvious reasons, the Fed this week pumping the Bill S. 2092, which will give the federal government's ``trap and trace'' authority, and now Verant. Law enforcement and now mainstream business views the Fourth Amendment as the problem. That's the piece of the Bill of Rights that protects ``persons, houses, papers and effects against unreasonable searches and seizures''-- with no mention of data and what it represents. And so now, the corporations and the government want to force manufacturers to build surveillance into technology, all but eliminating another basic right of privacy.
  • by Alien Perspective ( 171882 ) on Thursday April 06, 2000 @03:27AM (#1148357)
    ...the authors of hacking tools included code that checks for the presence of EverQuest during installation, and, if present, installs the "extra-strength super-dooper stealth" version.

    Those who attempt 'security through obscurity' achieve 'obscurity through stupidity'. Frankly, I prefer 'security through perversity'.

  • by Daddio ( 171891 ) on Thursday April 06, 2000 @03:47AM (#1148358)
    I play Eq and as anyone else who plays knows EVERYTIME you log on they require you to read and agree to the license. It has been a long standng joke that they change the license regularly without telling us.

    This is, while I can see there side, just the latest in turning the world of Norrath into more of a police state. Over the last few months they have recuited more guides (read police) to enforce their new play nice policy.

    Basically the policy is that anyone who pisses off anyone else is up for disciplinary action that include suspension and expulsion. (sounds like high school no?) While on the one hand they have created a very nice game and are wildly successful, theat success has caused growing pains on their side.

    A few examples of the pains are the fact that each server is disigned to have 1000 - 1200 people playing on it at any one time, you are hard pressed to find any server that has less than 1800 users and many are hitting 2000 during peak hours. For those that haven't experieinced once you select a server that is where your avatar lives it's life, forever. No crossing from one server to another. As your friends join up they want to hang w you so they joing your server compunding the problem.

    This excess of players stresses the system on two fronts of course the technical side with zones and servers crashing sometimes for days losing the entire player database, but also the in game resources are pushed having not been designed for that many people. This causes a shortage of things to do with people camping waiting for the first enemy to appear and not only battle the enemy but argue with other players over who it belongs too. This breeds animosity among players who are NOT allowed to kill one another (except under certain mutally agreed circumstance. So now maybe you understand. While Verant has learned from the mistakes of Ultima they have still created their own special problems.

    Overall though the game is so very well done and when it works the experience is so cool that we all hang out and keep playing. For the unititated all I can say is that the social aspects of the game are in my opinion what keep people playing.

    daddio
  • by Anonymous Coward on Thursday April 06, 2000 @03:22AM (#1148359)
    http://lum.xrgaming.net scroll down a bit, its got about 6 posts with letters from Verant President John Smedley himself, + Verant lawyers.
  • by Anonymous Coward on Thursday April 06, 2000 @03:32AM (#1148360)

    Lets face it, people who game online like to get the edge over their opponents, and one of the ways they do this is to cheat. There is a proliferation of tools to do this for various online games, and users can easily find them on the net.

    When even one person cheats it makes the entire game less fun for everyone else playing it. Instead of a test of skill it becomes a farce, with little or no skill being required to win or proceed. Verant, obviously worried about the quality and fun of their game EverQuest, were being entirely reasonable by wanting to prevent the use of cheating tools.

    Given this concern, the only reasonable and effective thing for them to have done was to scan the user's hard drive for said cheating tool. This isn't a privacy issue - they're only scanning for a tool which will lessen everybody's enjoyment of their game. If you are are against this then you are letting people ruin the game by cheating, which is hardly fair to other users.

  • by John_Prophet ( 78703 ) on Thursday April 06, 2000 @03:26AM (#1148361) Homepage
    Ridiculous. I can't say I'm surprised though. A bunch of suits sitting around a board room discussing their moneymaker and saying "Hmm. we need a way to keep the game fair. I know, let's require anybody who wants to play to give us total access to their computers. They ought to go for that."

    The game has YET to be invented that will make me want to trade in my privacy in order that I might keep some other guy from getting some extra HP or resources by cheating.

    Not to mention that if you have to cheat at a game just to be competative -- how much fun can it possibly be?

    ... kinda like the problem with playing Quake online... The levels are completely unimaginative, and it comes down to ping speed & hardware to decide the winner. Adding things like LIMITED weapons, ammo & powerups would require people to conserve their ammo and to play strategically, rather than switching over to rocket launcher, putting it on autorun and holding down their fire button.

    But it's all just games anyway, right? Relax, people. Have fun. Stop nosing around on my PC.


    -The Reverend
  • by Gurlia ( 110988 ) on Thursday April 06, 2000 @03:56AM (#1148362)

    You bring up a very good point. Customers are able to influence a big company's decisions, especially on issues like privacy. One key point I'd like to highlight is this: they can only do this if they are informed. I think it's extremely important that we try out best to make the average Joe user aware of all the potential violations of privacy that's going on today. The reason that so many users today have such poor habits online (in terms of protecting their own privacy) is because they aren't aware of it.

    This may be a bit off-topic, but I think this principle can be applied to other things too. Such as things like DMCA. It went by because very few were actually aware of the threats it represents. But if the average Joe user is made aware of these issues, I'm sure the masses will be able to force the powers that be to change things. Just like this case: imagine if nobody knew that the latest Everquest upgrade scanned their computers. Nothing would be done about it, and privacy will be compromised. But once people found out about it, they took action, and things changed. I'm sure this can happen on other areas too, like DMCA, etc..

  • by Effugas ( 2378 ) on Thursday April 06, 2000 @04:10AM (#1148363) Homepage
    The question is no longer whether Verant *ought* to rummage through its user's computers looking for whatever it feels like.

    The question is, what prevents anyone else from doing so?

    If Verant can modify Everquest such that it ships with Back Orifice 2000, and the only thing that prevented them from doing so was the (thankfully effective!) fear of inadequate liability disclaimers, what *exactly* prevents anyone else, who *doesn't* particularly worry so much about the law, from attacking any Everquest player they please with a trojan'd update?

    I betcha nothing but the network, as if "well, it came from Verant's DNS name, so it *can't* be spoofable." *sigh* I'm reminded of the Genie from Alladin..."PHENOMENAL COSMIC POWERS...itty bitty security." Oh, and toss in a little bit of obscurity to be on the safe side.

    I should be fair. There's an off chance that there's some cryptographic protection against such an attack being sued by Verant. That'd be nice. I'd like that, as I do cryptography. Day in, day out, it's what I've been living, breathing, thinking, and scheming. And ya know what? I had a total compromise sitting around in my design, because I forgot the (rather simple, but marginally obscure fact) that it's rather trivial to convert a private key back into its public key equivalent. (Moral of the story, folks: Possession of a public key authenticates NOTHING.) Stupid problem, easy to fix, but then, that's my *job* right now.

    I doubt I have an equivalent at Verant.

    At best, Verant is employing some painfully inadequate public signature verification key to make sure that an update actually came from them. Rather likely, they're using some symmetric algorithm(RC2/RC4 most likely, as they're easily exportable) with a broken key length--not that it matters, since if they're using a symmetric key to authenticate the packages, then the same key that Verant used to sign the update shipped with every copy of Everquest--*cough* itty bitty security. Same shtick if they use a MD5-signature variant--the "key" used to authenticate the package as coming from Verant and not Joe Cracker necessarily gets shipped with each box.

    Of course, who am I kidding. We'd be lucky if there's an XOR in the lot. (XOR, for the non cryptographers out there, is a thoroughly broken but easy to implement logic operation that one can run on data to make it "appear" encrypted. Appearances...can be deceiving.)

    Folks, this is a *real* problem. Whenever you're doing crypto, you have to separate the world into Us vs. Them. I don't have a problem trusting Verant--they've got deep pockets, they've got skittish lawyers, and if they try anything, we'll see 'em telegraph it in the licensing agreement. (And if they do things without changing the agreement, We Know Where They Live.) So, for the moment, "Us" is Verant and Me, as an Individual Gamer. Them is every *other* gamer, malcontent, and kangaroo down under.

    The question to ask yourself, is: What allows Us to determine what code is executed on the client machine, and not Them?

    The next question to ask yourself is, since *you're* the one at risk with the client machine, and not Verant, how likely is it that Verant even broke a sweat regarding the answer to the previous question?

    Great. Verant isn't going to hack their users, out of the goodness of their lawyers paranoia. So who will?

    What about other games here, folks? Am I the only one noticing that large portions of the Windows software space are suddenly becoming net enabled for no other reason but to deliver ads(at best) and trojans(over time)?

    This isn't the first time I've run a company through the ringer over automatic execution of code(both Microsoft and Novell have painfully inadequate checking on their login script functionality; more at www.doxpara.com), but as much as /. likes to bash Microsoft, at least MS can be assured to have considered cryptographic protections.

    Sure, they rejected 'em, but still...you gotta know they at least considered 'em. Verant, on the other hand?

    Does anyone know?

    Email or reply if any of this concerns you. I've had some interesting reponses planned to this trend that I just haven't had the resources to implement. With some help, we might actually be able to...deal with this situation.

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com
  • by GrimJack ( 3496 ) on Thursday April 06, 2000 @04:02AM (#1148364) Homepage
    For those that don't have the time or inclination to look at the whole story here's the deal as I observed it over the last little while.

    First Everquest doesn't have that large of a real cheating problem, they're very good at logging any strange client behaviour and banning people the minute they're caught. However, a program was released to the public domain a while back called ShowEQ, this program is a passive sniffer that reads the data stream between the client and the server and displays data that gives the user an advantage over other players, basicly it's a realtime map of all the monsters in a zone with their hps and level.

    Verant has been trying to combat this for a while by constantly changing their encryption scheme but has thus far been unsuccessful in locking the people maintaining the program out for more than a few days.

    ShowEQ ran on Linux, recently someone released a Windows version and this is what verant claims they were scanning for (The passive client on linux is really impossible for them to detect)

    Someone recently posted a message on the EQ message boards asking why verant was scanning the task list of their computer and uploading what was running back to the servers, this is prior to the announcement that they wanted to do this btw, Verant was extremely quiet about this thread until the announcement was made that they were changing the end user license which you have to agree to every time you start the everquest client.

    All these threads are still available and it's somewhat interesting to read what Verant's reps posted in response. If you want to see check http://everquest.station.sony.com and click on the message boards link.

    Part of Verant's problem is they've been fostering a real Us vs the Players attitude (Although they probably don't intend to, but anyone who's been on a MUS* before realizes that it's just part of the lifecyle of such games) By refusing to answer player questions about game mechanics and such, some people have used ShowEQ to get real answers to these questions, such as how the experience system works and such.
  • by EQ ( 28372 ) on Thursday April 06, 2000 @03:45AM (#1148365) Homepage Journal
    And its simply an RE job on the datastream. Passive, nothing more. All it does is lets you see the REAL numbers behind the game that Verant tries to hide with handwaving and frantic knees-bent running about behavior.

    The reason? They have some severe design flaws in their game, as well as a piss poor and arrogant attitude toward their player base. The only reason they are raking it in is because nobody else has such a thing on the market yet. They were stomping sites until it got moved to www.hackersquest.gomp.ch, (notice the NON-us addy?) a host site that doesnt have anyone that clicked the Verant EULA, and so far seems immune to their lawyers.

    And the prog runs on a separate Linux box: using NAT/ipchains and routing the win box thru the linux box is best, but it can also put the ethX device into promisc and sniff the data. So, really, there isnt jack they can do about detecting it. They seemd to live with this until... What brought this "corporate sniffing" on is that someone took the open source and did a windows port. So every little k3w3l d00d and wannebe could use it.

    Verant went into Corporate panic mode - typical of their nasty anti-gamer managerial mindset. Verant went psycho trying to stop it.

    But the scariest thing is: when they polled 15,000 of their users, 83% agreed to let Verant search their HD as a precondition of playing the game!!!

    What kind of sheep are these? I pity the folks who will need to depend on such weak and obedient asses who will kneel down for a compny just to be allowed to play a game that they are already paying for!

    EQ players who said Yes in that poll, you should be ashamed!

  • by nlvp ( 115149 ) on Thursday April 06, 2000 @03:30AM (#1148366)
    Isn't it interesting how this particular arena (privacy) seems to put so much more power in the hands of the consumer than any other?

    I think it's because when someone's privacy gets threatened, they feel much more quickly capable of taking significant action, to the extent that they're willing to switch provider, give up a forum or a game they enjoy, or use alternatives (sometimes of dubious legality), in order to protect it.

    In terms of the influences faced by online companies today, it seems to be quite a high priority to satisfy the privacy needs of customers, even though this is not a natural consequence of their desire to make profits, but rather caused by an obsession (healthy, in my opinion) with privacy on the part of individuals.

    We've seen quite a few radical reversals of policy on the part of some very large corporations (Doubleclick or Intel for example), which would seem to imply that online consumers, as a separately identifiable group, are becoming quite powerful in their own right.

    Long may it last!

  • by Wow8agger ( 115234 ) on Thursday April 06, 2000 @03:43AM (#1148367)
    I think it's important to note before the standard Slashdot privacy feeding frenzy starts that Verant has done their best to act responsibly on this issue. A couple things to pay attention: The scanner in question did NOT scan registry, HD, browser history, etc. It was doing latency checks (for proxy server goofiness) and running task checks. The Verant Management has maintained a very open line of communication with their customer base, including a producer letter, EULA modifications (with explanations to the users), IRC chats with Sony lawyers, and a mandatory poll of the users asking them about allowing Verant to scan for cheating programs (80+% agreed with the scanning). Admittedly, I don't like people looking at whats going on with my computer in any way shape or form, but I'm at a loss to think of a better resolution to deal with people acting like scumbags. -Matt Burch Everquest Junkie
  • by Chester K ( 145560 ) on Thursday April 06, 2000 @04:22AM (#1148368) Homepage
    I run a fairly large EverQuest-related humor site [stratics.com], so I've been following this issue since it started (even if only to make fun of it).

    What's happening here is a thorny problem where individual "privacy" headbutts with everyone's best interests.

    A quick background for those not in the know, Verant Interactive [verant.com] produces and maintains EverQuest [everquest.com], a massively-multiplayer online role-playing game. Thousands of players connect to Verant-administered servers and play alongside other players in a persistent world. It's the second major-market title in the MMORPG genre started by Ultima Online [uo.com].

    The way these games work is centralized servers store all the state information about the virtual world. To be general, nothing is stored client-side. This is required, because unlike games like Quake [idsoftware.com], the world is persistent. An early incarnation of this type of game was Diablo [blizzard.com]. The main difference between the newer games (UO and EQ) and Diablo is that with Diablo, all your character information was stored client-side. This became a major problem for the game, as it was only a matter of time before the file formats were reverse-engineered and people started modifying their characters to be super-powered.

    By storing the information server-side, this type of cheating is avoided. No matter what you do, there will always be people who want to cheat, and if the information is stored server-side, people will try to exploit the server to cheat, or will "enhance" their client software in order to give them an unfair advantage in the game. Ultima Online has had a long history of dealing with this type of problem. Many security weaknesses in the UO servers were discovered (and fixed), but at the same time, these weaknesses were exploited by people, most often to do devestating things to other players of the game.

    Recently, EQ has had the same things happening to it. A program known as "Show-EQ" has been around for quite some time, which simply gives a player an unfair advantage in the game. Verant has dealt with this in a subtle manner, changing their client/server data stream every so often to set back development of the utility.

    In the past couple weeks, other programs for EQ have begun to pop up, with more nefarious purposes. The EverQuest servers have been crashed on more than one occasion by these programs. This is what brought Verant to suggesting drive-scanning. It's one thing if someone is just cheating, but it's another thing completely if they're maliciously trying to crash the game.

    They took their first countermeasures not too long ago, by adding a feature to the client software that scans your Windows task list and looks for these "external utilities". If it finds one, it flips a "I'm a cheater" flag on your account and you end up with a cancelled EQ account.

    They proposed to extend their search to the hard drive, to see if any of these programs even exist on your system... and this is where people started to get upset.

    Verant has been very open and forthcoming about the proposed changes, keeping active discussions regarding the issue on the various websites dedicated to EverQuest, offering reasoning and explantions of the scanning process, and they even required all users to answer a poll question regarding the issue on login to the game (which turned up 80%+ in favor of the scanning).

    Even with the overwhelming support of the scanning by their playerbase, they responsibly decided to back down on the issue.

    Now granted, what they suggested could be a huge tool for abuse and privacy intrusion, but they did not try to "sneak" it past their users in any form. What they were proposing was nothing compared to some of the things that people thought they were planning on doing (there have been some heated arguments about it the past few days).

    In short, its not really that they intended to intrude on people's privacy, but that they were seeking to increase the quality of their service and actually have a way to enforce their "no cheating" rules.

    Verant should be commended on their responsible handling of this entire incident, not trashed in the court of public opinion based on reports that only tell half the story, like the one posted here on Slashdot.

"There is no statute of limitations on stupidity." -- Randomly produced by a computer program called Markov3.

Working...