Eve Online Client Source Code Leaked

An anonymous reader writes to tell us that the game client source code for the popular MMO, Eve Online, has been leaked via torrent. In addition to the source code the user also posted a lengthy chat transcript with someone from CCP customer support. While the end goal may have been to call attention to the continuing security issues within Eve (and ultimately themselves), there are probably better ways of getting through to support. Unfortunately, CCP seems to be responding with the usual knee-jerk reaction of banning everyone breathing a whisper of this incident. I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer.

this is going to be so great

[JernejL]

I don't think anything major as this has happened before, and from a online game developer's perspective i will look closely to how this affects cheating and the development of the game further, as something like this is a great nightmare for any game developer, and i really want to see how this one ends.

Re:Warning! CCP Seeding, Banning Torrenters

[hcmtnbiker]

Something that the summary missed but was reiterated twice in the actual article is that CCP is accused of seeding most of the torrents and then monitoring all IP addresses acquiring the source and then banning accounts associated with those IPs.

If they're actually seeding it themselves then I expect to hear about a lawsuit. Since that would be purely legal to download from them. If CCP is effectively giving away their src what's wrong with accepting their offer?

Re:Don't download the source via the torrent

[Eraslin]

Makes you wonder what the implications are w.r.t. copyright and trade-secret if CCP is distributing the code themselves. Sure, by seeding they'll be able to snag IP addresses and ban users. But, for down the road, I wonder if they've just given up any ability to claim copyright infringement or some such on anyone (defense: ''CCP themselves were seeding it ,your honour. So, I got it from the copyright owner with their permission.'').

Re:Not a leak

[Anonymous Coward]

Yeah, it's pretty much a non-issue, because everyone who cared to could (& possibly has) done this before. It's just people who lack the knowledge to do anything who're in a huge tizzy. That said, the extra eyes and attention have determined that you can have some fun with local-zone javascript called by a specially crafted link passed to the victim in-game.

Re:this is going to be so great

[Antique Geekmeister]

There was the theft and publication of the Half-Life 2 source code a few years ago. That included the creation of an illicit version of the game, in Russia.

Wait a minute...

[jeffbax]

Does this mean that someone will finally make a proper Mac and Linux build without the Transgaming garbage ;)

Re:Calmly address theft of the crown jewels?

[}{avoc]

I wonder how Microsoft would respond to someone putting the code for Office online?

Well, that kind of happened. [slashdot.org]

Re:Don't download the source via the torrent

[SiriusStarr]

I don't know... Remember the recent article RE: the FBI investigating any IP that accessed a false child pornography website that they set up? I think the powers that be have yet to realize that IPs are not exactly reliable means of identifying individuals.

Re:Don't download the source via the torrent

[SiriusStarr]

And then it just sucks if you run a tor exit node... But besides that... We're talking about an MMORPG company here. I don't think they can subpoena the ISP logs.

Re:From TFA...

[vux984]

Well, atleast on the tidbit shown on the article, the CCP representative sounds perfectly rational and professional. Am i missing something here?

Well, the CCP rep did sound vaguely annoyed to me; I could see him rolling his eyes. But then I imagine they roll their eyes at most of the conversations they have. :)

And by the way, how does this guy ended up with the sourcecode on the first place?!

That's still unclear. Some say its just decompiled python that anyone could do themselves easily enough. But he almost alludes to having a source within ccp... so I'm not sure.

Its too bad he's apparently not an english speaker because that invites mockery. And obviously he's not being terrible mature which further damages his image, but at the end of the day what he is asking for is legitimate in my opinion:

All he wants is CCP to acknowledge there are specific issues and to demonstrate that there have been real fixes added. Because he is firmly convinced that people have been botting for years using known exploits and that CCP hasn't made even the slightest effort to curb them.

So he's basically saying if you've fixed it... prove it. "Show me an exploit that used to work that doesn't now. Show me something, ANYTHING, that you've actually fixed in the last year or so related to stopping botters."

"And Improve your processes, so that if we report exploits you acknowledge them, and fix them, instead of just handwaving that security improvements have been added, because I'm not seeing any."

"And if you don't, I'm releasing the source, so we can ALL see for ourselves what you've actually improved over the last year, because I'm tired of watching people bot for YEARS without having to so much as adapt to new anti-bot tactics."

If this guy is just blowing smoke, then CCP really should have no issue publishing some of the hundreds of botting related exploit scenarios that they claim to have fixed over the last several patches...and showing that they no longer worked.

That much they owe their customers. Frankly, I don't really blame CCP for not publicly acknowledging security issues and bringing additional attention to each exploit before its fixed... BUT... I -do- think that the playerbase deserves some honesty -after- the fact.

If they release an exploit fix, publish it, what used to work, and what no longer works. CCP lacks credibility, and this would go a long ways towards helping restore it.

After all we get a better level of security updates disclosure from microsoft. I think all this guy really wants is the same from CCP. And if CCP *hasn't* actually done anything in the last few years to address all the while claiming they have, well... I can see why a segment of the playerbase is boiling mad about it, and wants to blow this into the public eye where they can't sweep it under the rug anymore.

Re:Don't download the source via the torrent

[Anonymous Coward]

http://seashells.partyvan.fm/~januszeal/pre51200sc.rar

^ Direct link

irc.partyvan.fm

Re:Don't download the source via the torrent

[Sancho]

Different investigation agencies probably do things differently. I can tell you that the RIAA has just hopped on, grabbed the peer list, and then hopped off (I work for an ISP and we actually have to deal with this crap.)

Re:this is going to be so great

[shentino]

where's your proof that they aren't?

The fact that Eve is going this ballistic suggests that something strange is going on. Not proof cold, but certainly it qualifies as somewhat sound circumstantial evidence.

Re:this is going to be so great

[Umuri]

Let me give you a little history lesson.
Back in the dark ages, ya know, the 90s, there was a little game called Ultima Online.

Heard of it? I hope so, it was one of the original MMORPGs.

Every client ever released for that game had all of it's packets decrypted, and the encryption scheme broken for keys, usually within 24-48 hours. Everytime they updated.

Add to that that people edited the client to do whatever they wanted, sometimes with other programs hooking in and altering packets, others by directly altering the assembly of the client.
Many people tried to exploit bugs in the game that way, but most failed, and everytime someone did find one, it was usually fixed relatively quickly. Malformed packets went from "all the rage" and the way to bug up a game to relatively worthless within a span of a month, barring a few new uses that popped up every so often from bad new code introduced.

Having the source code only simplifies this a little for the people who really care, and it doesn't really enable them to do anything they couldn't already.

Oh, also, while i'm at it. Did you know ultima online had a special client for staff characters? And that the binary for that client was leaked as well?

OH NOES! But wait! Ultima online used good security measures and correct privelege systems, so the client was worthless for anything a normal player couldn't do. :)

Summary: This isn't new, and it's happened before on other games. Except in the past most games were already so well understood by their communities that the source would add almost nothing except a little ease and some time saved duplicating a better version of the client when they stop upgrading.

Add to that, if this causes ANY security issue with EVE, then the people who coded the game should get in trouble, not the players. Good coding practices prevent all trouble the code could possibly do. You ARE checking for privelege levels and sanitizing your inputs, right?

Re:Calmly addressing issues

[Anonymous Coward]

Interestingly, we just ran an informal survey of ages in our corporation in EVE Online:

Born yesterday 0% [ 0 ]
16 - 20 7% [ 13 ]
21 - 25 20% [ 36 ]
26 - 30 19% [ 35 ]
31 - 35 20% [ 36 ]
36 - 40 15% [ 28 ]
41 - 50 12% [ 23 ]
50+ 3% [ 6 ]
None of your business :P 0% [ 0 ]
Older than Dirt 0% [ 0 ]
Total Votes : 178

EVE demographics are a good bit more varied then usual.

Full source?

[Anonymous Coward]

So has anyone actually recompiled it into a working client? Is it even possible or are these just, as people have said, decompiled portions of the client?

Re:Full source?

[Anonymous Coward]

These files have absolutely nothing to do with EVE.exe (the client) It is a decompiled version of the file 'compiled.code', which contains the python scripts that are used by the client.

Re:Warning! CCP Seeding, Banning Torrenters

[vux984]

Or needs to do validation on the server-side of all game-balance-affecting stuff--which is really the only way to ensure fairness, since clients can always be hacked.

Server-side validation only captures 'illegal commands', it doesn't really capture -automated commands-.

As long as the bots don't do anything Server side validation isn't going to catch squat. It can't easily tell if its a real player at the helm. And it certainly can't tell the difference between player:

click-a, click-b, c, d, e, f, g, h, i, j, k, l, m

and player

click-X
and exploit-script tells server he: click-a, b, c, d, e, f, g, h, i, j, k, l ,m
freeing the player some extra time to read status readouts, check the map, check his 6, etc.

nor can it tell the difference between:
player oberves condition - click-a, click-b in response and
script-bot detects condition - sends 'click-a, click-b' in response.

freeing the player to not have to issue commands at all. (Think of a bot that can farm ore by itself, return it to base, and make a rudimentary attempt to flee an attacker, even if the player is at work.)

Imagine a blob of 10-20 of these bots gate camping, assisted by just one or 2 players who can give the whole blob move/retreat/regroup/attack orders via an out-band channell like IRC.

Again server side validation isn't going to see anything in terms of invalid input.

These are the sorts of uses that hacking the client can be expected to yield, even if you assume the server is hardened and secure against 'malicious' clients.

Re:Calmly addressing issues

[Lehk228]

Goon Swarm are probably the most mature group on EVE, they realize it's just a fucking game and play for casual fun. their antics happen to greatly annoy the butthurt mom's basement dwelling 35 year olds, but that is more a reflection on the basement dwellers than on goon swarm.

Re:Official Communication from CCP

[Abuser_One]

This CCP Guys are lying as usually. Why didn't they say the person who has the sources can craft the bot on Python, able to do the same as usual players can do. > CRC checks? Patch blue.dll for them or hook advapi32.dll on signature checking exports (and return result required) to avoid messing with eve files. > "and poses no threat to our customers' billing information" tell these to those, who haven't seen the telnet server which is embedded into client and gets activated by python object coming with payload from server > no advantage can be gained by manipulating the EVE client If you don't consider using a bot, resembling player's everyday in-eve activities for up to 23 hours a day an advantage........ > Access to the source code for the EVE client exposes no security vulnerabilities Are you sure? Maybe i should post a python code for your ingame browser, so people with knowledge of security could give a bit more defenite answer?

Re:Direct link to the torrent

[Kayamon]

Am I the only person who thinks it somewhat wrong to post on Slashdot a link to stolen, unreleased source code?

Geez, why not just upload a GTA4 ISO while you're at it.

Re:Direct link to the torrent

[ichigo 2.0]

You forgot to add "Get off my lawn!".

When it costs practically nothing to produce a 1:1 copy of something, then it becomes impossible to charge much more than nothing for it. It really is as simple as that. There are huge changes coming and telling people to fuck off to North Korea won't change that.

Re:Warning! CCP Seeding, Banning Torrenters

[Lonewolf666]

From my experience with EVE I have the impression that their QA is a bit understaffed. There are some visible bugs in the game that have been unfixed for a while, so I presume there are exploitable security bugs to match.

Going the open source route may or may not help them, depending on how much of the data available clientside has to remain hidden from the user:
The deep dark secrets they don't want out could be something like players getting info on all objects in a solar system, and the client filtering out what should not bee seen. That would be immediately exploitable by a client that has the filter removed. It would also be poor design, but consistent with the general lagginess of EVE.

But then again, their behaviour indicates that they are not interested in going open source anyway.

Re:Warning! CCP Seeding, Banning Torrenters

[Rogerborg]

CCP does not believe in security by obscurity. The Python scripting language that is used by the client can be easily decompiled to generate human-readable code, and CCP has designed its server-side systems with that understanding.

This is the best attitude that I've even seen from a commercial MOG developer. It is exactly correct.

Someone just needs to tell their Banstick guys that. If they believe their own argument, then they need to act like it.

Re:Direct link to the torrent

[ichigo 2.0]

Give the man a cookie, for he gets it (even if he doesn't know it himself). 100% unemployment and total automation is what we should strive for. The day my job becomes automated is the day mankind is set free, for programming is something only intelligent machines can do.

Re:Warning! CCP Seeding, Banning Torrenters

[vux984]

How would investing more playtime into EVE give you an advantage over other players?

Simple.

Suppose you spend 80 hours a week in game.
Suppose I play 15 hours a week, but buy ISK to keep up with you in terms of in game cash.

Our characters wealth and skills would be equivalent, right.

But who is more likely to run a major alliance, control a starbase, or do anything else of real significance?

You see, the guy 'in game' has a massive advantage. He's spending 80 hours a week meeting people, building friendships, trust, networks, alliances, and has his finger on the community. You can't simply buy that.

The only thing you can get from playing a lot is more money, but if you really wanted that, there are other legit ways to acquire it without investing time.

What? Selling those time cards for ISK? Come on.

1) If the 15 hour/wk crowd decided to play keep up with the full time players there would be more time codes flooding the market than ore. Supply would outstrip demand a 1000 to 1. Its a solution for a handful of players maybe, but hardly a general solution.

2) I want to play for what I get in eve, not buy it. Its a game, first and foremost.

3) My commitment to Eve is 'several hours a week', and 15$/month or whatever. I'd like to see competitive play at this level. There are many thousands of us after all, so there's certainly no lack of opportunity for a 'league' for us.

But no, we're forced onto the hardcore server, where a chunk of the competition completely and utterly and permanently outclasses us, and we are forced to either dramatically up our committment in time or money to keep up... or come to terms with the fact that we can either remain irrelevant or become cogs in someone elses machine.

Yet if I want to race cars on the weekend, I can take the car of my choice and get into a competitive race with others in the same class of vehicle and skill, with a similiar level of commitment to the sport. I'm not put on the road with pro-drivers in F-1 cars and told that if I want to see anything remotely competitive then I'd better dedicate a lot more time and/or money to the pursuit.

That's just silly... yet that's the competition model in all MMOs to date.