Eve Online Client Source Code Leaked 368
An anonymous reader writes to tell us that the game client source code for the popular MMO, Eve Online, has been leaked via torrent. In addition to the source code the user also posted a lengthy chat transcript with someone from CCP customer support. While the end goal may have been to call attention to the continuing security issues within Eve (and ultimately themselves), there are probably better ways of getting through to support. Unfortunately, CCP seems to be responding with the usual knee-jerk reaction of banning everyone breathing a whisper of this incident. I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer.
this is going to be so great (Score:3, Interesting)
Re:Warning! CCP Seeding, Banning Torrenters (Score:3, Interesting)
If they're actually seeding it themselves then I expect to hear about a lawsuit. Since that would be purely legal to download from them. If CCP is effectively giving away their src what's wrong with accepting their offer?
Re:Don't download the source via the torrent (Score:3, Interesting)
Re:Not a leak (Score:1, Interesting)
Re:this is going to be so great (Score:3, Interesting)
Wait a minute... (Score:3, Interesting)
Re:Calmly address theft of the crown jewels? (Score:3, Interesting)
I wonder how Microsoft would respond to someone putting the code for Office online?
Well, that kind of happened. [slashdot.org]
Re:Don't download the source via the torrent (Score:4, Interesting)
Re:Don't download the source via the torrent (Score:2, Interesting)
Re:From TFA... (Score:5, Interesting)
Well, the CCP rep did sound vaguely annoyed to me; I could see him rolling his eyes. But then I imagine they roll their eyes at most of the conversations they have.
And by the way, how does this guy ended up with the sourcecode on the first place?!
That's still unclear. Some say its just decompiled python that anyone could do themselves easily enough. But he almost alludes to having a source within ccp... so I'm not sure.
Its too bad he's apparently not an english speaker because that invites mockery. And obviously he's not being terrible mature which further damages his image, but at the end of the day what he is asking for is legitimate in my opinion:
All he wants is CCP to acknowledge there are specific issues and to demonstrate that there have been real fixes added. Because he is firmly convinced that people have been botting for years using known exploits and that CCP hasn't made even the slightest effort to curb them.
So he's basically saying if you've fixed it... prove it. "Show me an exploit that used to work that doesn't now. Show me something, ANYTHING, that you've actually fixed in the last year or so related to stopping botters."
"And Improve your processes, so that if we report exploits you acknowledge them, and fix them, instead of just handwaving that security improvements have been added, because I'm not seeing any."
"And if you don't, I'm releasing the source, so we can ALL see for ourselves what you've actually improved over the last year, because I'm tired of watching people bot for YEARS without having to so much as adapt to new anti-bot tactics."
If this guy is just blowing smoke, then CCP really should have no issue publishing some of the hundreds of botting related exploit scenarios that they claim to have fixed over the last several patches...and showing that they no longer worked.
That much they owe their customers. Frankly, I don't really blame CCP for not publicly acknowledging security issues and bringing additional attention to each exploit before its fixed... BUT... I -do- think that the playerbase deserves some honesty -after- the fact.
If they release an exploit fix, publish it, what used to work, and what no longer works. CCP lacks credibility, and this would go a long ways towards helping restore it.
After all we get a better level of security updates disclosure from microsoft. I think all this guy really wants is the same from CCP. And if CCP *hasn't* actually done anything in the last few years to address all the while claiming they have, well... I can see why a segment of the playerbase is boiling mad about it, and wants to blow this into the public eye where they can't sweep it under the rug anymore.
Re:Don't download the source via the torrent (Score:3, Interesting)
^ Direct link
irc.partyvan.fm
Re:Don't download the source via the torrent (Score:3, Interesting)
Re:this is going to be so great (Score:3, Interesting)
The fact that Eve is going this ballistic suggests that something strange is going on. Not proof cold, but certainly it qualifies as somewhat sound circumstantial evidence.
Re:this is going to be so great (Score:5, Interesting)
Back in the dark ages, ya know, the 90s, there was a little game called Ultima Online.
Heard of it? I hope so, it was one of the original MMORPGs.
Every client ever released for that game had all of it's packets decrypted, and the encryption scheme broken for keys, usually within 24-48 hours. Everytime they updated.
Add to that that people edited the client to do whatever they wanted, sometimes with other programs hooking in and altering packets, others by directly altering the assembly of the client.
Many people tried to exploit bugs in the game that way, but most failed, and everytime someone did find one, it was usually fixed relatively quickly. Malformed packets went from "all the rage" and the way to bug up a game to relatively worthless within a span of a month, barring a few new uses that popped up every so often from bad new code introduced.
Having the source code only simplifies this a little for the people who really care, and it doesn't really enable them to do anything they couldn't already.
Oh, also, while i'm at it. Did you know ultima online had a special client for staff characters? And that the binary for that client was leaked as well?
OH NOES! But wait! Ultima online used good security measures and correct privelege systems, so the client was worthless for anything a normal player couldn't do.
Summary: This isn't new, and it's happened before on other games. Except in the past most games were already so well understood by their communities that the source would add almost nothing except a little ease and some time saved duplicating a better version of the client when they stop upgrading.
Add to that, if this causes ANY security issue with EVE, then the people who coded the game should get in trouble, not the players. Good coding practices prevent all trouble the code could possibly do. You ARE checking for privelege levels and sanitizing your inputs, right?
Re:Calmly addressing issues (Score:1, Interesting)
Born yesterday 0% [ 0 ]
16 - 20 7% [ 13 ]
21 - 25 20% [ 36 ]
26 - 30 19% [ 35 ]
31 - 35 20% [ 36 ]
36 - 40 15% [ 28 ]
41 - 50 12% [ 23 ]
50+ 3% [ 6 ]
None of your business
Older than Dirt 0% [ 0 ]
Total Votes : 178
EVE demographics are a good bit more varied then usual.
Full source? (Score:3, Interesting)
Re:Full source? (Score:1, Interesting)
Re:Warning! CCP Seeding, Banning Torrenters (Score:3, Interesting)
Server-side validation only captures 'illegal commands', it doesn't really capture -automated commands-.
As long as the bots don't do anything Server side validation isn't going to catch squat. It can't easily tell if its a real player at the helm. And it certainly can't tell the difference between player:
click-a, click-b, c, d, e, f, g, h, i, j, k, l, m
and player
click-X
and exploit-script tells server he: click-a, b, c, d, e, f, g, h, i, j, k, l
freeing the player some extra time to read status readouts, check the map, check his 6, etc.
nor can it tell the difference between:
player oberves condition - click-a, click-b in response and
script-bot detects condition - sends 'click-a, click-b' in response.
freeing the player to not have to issue commands at all. (Think of a bot that can farm ore by itself, return it to base, and make a rudimentary attempt to flee an attacker, even if the player is at work.)
Imagine a blob of 10-20 of these bots gate camping, assisted by just one or 2 players who can give the whole blob move/retreat/regroup/attack orders via an out-band channell like IRC.
Again server side validation isn't going to see anything in terms of invalid input.
These are the sorts of uses that hacking the client can be expected to yield, even if you assume the server is hardened and secure against 'malicious' clients.
Re:Calmly addressing issues (Score:2, Interesting)
Re:Official Communication from CCP (Score:2, Interesting)
Re:Direct link to the torrent (Score:3, Interesting)
Geez, why not just upload a GTA4 ISO while you're at it.
Re:Direct link to the torrent (Score:3, Interesting)
When it costs practically nothing to produce a 1:1 copy of something, then it becomes impossible to charge much more than nothing for it. It really is as simple as that. There are huge changes coming and telling people to fuck off to North Korea won't change that.
Re:Warning! CCP Seeding, Banning Torrenters (Score:3, Interesting)
Going the open source route may or may not help them, depending on how much of the data available clientside has to remain hidden from the user:
The deep dark secrets they don't want out could be something like players getting info on all objects in a solar system, and the client filtering out what should not bee seen. That would be immediately exploitable by a client that has the filter removed. It would also be poor design, but consistent with the general lagginess of EVE.
But then again, their behaviour indicates that they are not interested in going open source anyway.
Re:Warning! CCP Seeding, Banning Torrenters (Score:4, Interesting)
This is the best attitude that I've even seen from a commercial MOG developer. It is exactly correct.
Someone just needs to tell their Banstick guys that. If they believe their own argument, then they need to act like it.
Re:Direct link to the torrent (Score:3, Interesting)
Re:Warning! CCP Seeding, Banning Torrenters (Score:3, Interesting)
Simple.
Suppose you spend 80 hours a week in game.
Suppose I play 15 hours a week, but buy ISK to keep up with you in terms of in game cash.
Our characters wealth and skills would be equivalent, right.
But who is more likely to run a major alliance, control a starbase, or do anything else of real significance?
You see, the guy 'in game' has a massive advantage. He's spending 80 hours a week meeting people, building friendships, trust, networks, alliances, and has his finger on the community. You can't simply buy that.
The only thing you can get from playing a lot is more money, but if you really wanted that, there are other legit ways to acquire it without investing time.
What? Selling those time cards for ISK? Come on.
1) If the 15 hour/wk crowd decided to play keep up with the full time players there would be more time codes flooding the market than ore. Supply would outstrip demand a 1000 to 1. Its a solution for a handful of players maybe, but hardly a general solution.
2) I want to play for what I get in eve, not buy it. Its a game, first and foremost.
3) My commitment to Eve is 'several hours a week', and 15$/month or whatever. I'd like to see competitive play at this level. There are many thousands of us after all, so there's certainly no lack of opportunity for a 'league' for us.
But no, we're forced onto the hardcore server, where a chunk of the competition completely and utterly and permanently outclasses us, and we are forced to either dramatically up our committment in time or money to keep up... or come to terms with the fact that we can either remain irrelevant or become cogs in someone elses machine.
Yet if I want to race cars on the weekend, I can take the car of my choice and get into a competitive race with others in the same class of vehicle and skill, with a similiar level of commitment to the sport. I'm not put on the road with pro-drivers in F-1 cars and told that if I want to see anything remotely competitive then I'd better dedicate a lot more time and/or money to the pursuit.
That's just silly... yet that's the competition model in all MMOs to date.