ostatnio wyszla na jaw dosc przykra sprawa z kradzieza kodu EVE. Czesc plikow mozna znalezc na torrentach - generalnie szok.
ponizej macie copy chata z mmorpg.com
http://mmorpg.com/discussion2.cfm?THREAD=173966&bhcp=1wersja dla leniuchow:
History:
[20:16] <Abuser> So. Talking with Arkanon wasn\'t fruitful.
[20:17] <[IA]Morpheus> Not quite, what are you trying to achieve?
[20:17] <Abuser> Make CCP confirm some things they are refusing to confirm ...
[20:18] <Abuser> Make intelligent approach to fixing bugs and perfomance issues instead of messing with game balance
[20:18] <Abuser> at least
[20:18] <[IA]Morpheus> You have no idea how we even work, theres 350 employees working at CCP and you don\'t know the slightest about our processes.
[20:18] <Abuser> I don\'t know HOW you work
[20:19] <Abuser> i see the RESULT of this work
[20:19] <Abuser> and UNDERPANTS of it
[20:19] <Abuser> I have enough experience researching MMO\'s
[20:19] <Abuser> eve isn\'t first
[20:19] <Abuser> and won\'t be last
[20:20] <Abuser> so if you want to tell i don\'t have the understanding of CCP infrastructure related to eve - you are somewhat wrong
[20:20] <Abuser> but question isn\'t about this
[20:20] <Abuser> from what i know previous sourcecode leak
[20:20] <Abuser> was couple years ago
[20:20] <Abuser> and from what i see, nothing changes in terms of quality
[20:21] <Abuser> neither things, allowing people to exploit eve (for botting) - were fixed
[20:21] <Abuser> is that how 350 people (i doubt if at least 1/5 - 1/7 of them are programmers)
[20:22] <Abuser> work?
[20:22] <Abuser> Customers without in-depth knowledge will not notice this
[20:22] <Abuser> but what if somebody will explain the situation for them?
[20:23] <Abuser> or you consider USD14.95 people pay you every month aren\'t enough to be fair with them?
[20:26] <[IA]Morpheus> This is the wrong way to go about things and will not lead to a revolution in how CCP does things internally.
[20:26] <[IA]Morpheus> Sorry if thats what you were after.
[20:26] <Abuser> I\'m not looking for revolution
[20:27] <Abuser> Do you know such term as \"Proof of Concept\"?
[20:27] <Abuser> It\'s only enough it to get into hands of people who consider themselves to be programmers
[20:28] <Abuser> Currently eve don\'t have any clientside (and i\'m 100% no serverside, except logs) routines to detect bots
[20:28] <Abuser> Even stupid ones, using OCR and called Macroses
[20:28] <Abuser>
[20:29] <Abuser> Won\'t the wave of intelligent bots make CCP work at least in the direction of securing the engine?
[20:29] <Abuser>
[20:29] <[IA]Morpheus> Of course it will, that\'s obvious.
[20:29] <Abuser> Nice
[20:29] <Abuser> that\'s at least part of the plan
[20:29] <[IA]Morpheus> If thats what you want to achieve then congratulations, we are always working on improving security and plugging holes. If you want to help with that, try a normal approach like say sending us an email with suggestions.
[20:30] <Abuser> No, you are lying
[20:30] <Abuser> Security wasn\'t improved since last theft
[20:30] <Abuser> except some CryptoAPI and zlib
[20:30] <Abuser> so don\'t try to fool me
[20:31] <[IA]Morpheus> Security is always being worked on, I trust you know programming takes a lot of time and effort.
[20:31] <[IA]Morpheus> You say we have no ways to detect bots, yet we continue to ban thousands of exploiters who sell ISK and so forth.
[20:32] <Abuser> And that\'s all?
[20:32] <Abuser> And what if people start using some hypothetic people2people trading service
[20:33] <Abuser> that will avoid of using sellers who are constantly monitored via logs?
[20:33] <Abuser> so there will be signle and not interconnecting trades
[20:33] <[IA]Morpheus> Then we\'ll pick up on that and fix it..?
[20:33] <Abuser> that\'s how Blizzard can\'t do anything with such theme
[20:33] <Abuser> don\'t think you will manage
[20:33] <Abuser> they are losing more than you
[20:33] <Abuser> Why not to add client-side routines to detect bots?
[20:34] <Abuser> Why using petitions?
[20:34] <Abuser> People can lie, people can put a bucket of dirt on player who never violated eula
[20:35] <Abuser> And he will be banned, if petition will contain only right details describing the things you will never log, but that are surely be bot\'s actions
[20:36] <Abuser> EVE Clientside is enough to put bot-detecting routines there
[20:36] <Abuser> you can even use
[20:36] <Abuser> your spyware approach
[20:36] <Abuser> similar to when downloading PC identification python object during authentication as payload
[20:37] <[IA]Morpheus> Let it all out, I\'ll be sure to forward the conversation to all of our programmers, if thats what you want.
[20:37] <Abuser> No, your programmers are just following the plan
[20:37] <Abuser> they aren\'t that bad guys who caused all this anarchy
[20:37] <[IA]Morpheus> Care to tell me who did?
[20:38] <Abuser> Those who plan eve development and/or who decide the priority of client upgrades to be implemented.
[20:39] <Abuser> Currently Shiny Features have more priority than solidifying security and fixing bugs, from what i see
[20:40] <Abuser> Or how else you can explain the ability for the bots to use same approach to exploit eve engine as when previous sourcecode leak was?
[20:41] <Abuser> Nothing changed to prevent this?
[20:41] <Abuser> But we\'ve got tons of content patched
[20:41] <Abuser> but still lagging jita and deadly lagging blobs
[20:41] <Abuser> but from patchnotes i see that these things aren\'t your priority
[20:42] <[IA]Morpheus> I see that your intentions are good but this isn\'t playing out nicely for either parts.
[20:43] <Abuser> Guys, theres no other way that will play better.
[20:43] <Abuser> You simply ignore community requests to fix the core of eve, rather than add new coats to it, to make community forget about the bugs.
[20:43] <[IA]Morpheus> I despise bots and hacks over everything, but this is also a business, we\'ve got developers designing content and EVE needs to grow. I know for a fact that there are programmers working on security, more than that I can\'t really say.
[20:43] <[IA]Morpheus> If you think we are releasing new content to make you forget about bugs then I\'m not sure what I can say to convince you.
[20:44] <[IA]Morpheus> Patches have always been 50% bug fixes 50% content or so.
[20:44] <Abuser> Could you certainly say me what your programmers did to secure clientside from exploiting Eve?
[20:44] <Abuser> what\'s certainly
[20:45] <Abuser> I don\'t have anything against content makers - their ideas are good, really good
[20:45] <Abuser> I have full eve sourcecode, so you know what\'s did, and what\'s not;)
[20:46] <Abuser> From all security i saw - were ROLE permissions for logins with priviliges higher than usual player, and some minor things in relation to prevent some remote service calls (some with potentially bad payload)
[20:46] <Abuser> nothing else
[20:47] <Abuser> is that called \"programmers working on security\"?
[20:47] <[IA]Morpheus> Are you cruising for a job or something?
[20:47] <Abuser> Nah
[20:47] <Abuser> neither job, neither anything else
[20:47] <Abuser> you may think of in such direction
[20:48] <Abuser> Digging the situation to uncover the truth
[20:49] <Abuser> You may compare me to fox mulder from x-files series
[20:49] <Abuser> it\'s the best description of why i do this
[20:49] <[IA]Morpheus> Ah, well, nice to meet you Mr Mulder.
[20:50] <Abuser> So... would you like to answer what AWESOME ccp programmers did in relation to client/server security (at least for client?)
[20:51] <[IA]Morpheus> No, we won\'t respond to blackmail. If you think we don\'t care or aren\'t working on improving security you are sadly mistaken.
[20:51] <Abuser> IA
[20:51] <Abuser> did you saw the code yourself?
[20:51] <[IA]Morpheus> Yeah, and?
[20:51] <Abuser> or you are just telling me someone else\'s words?
[20:52] <[IA]Morpheus> Nop, I\'m all alone.
[20:52] <Abuser> And where do you see security fixes or bot catching routines in client?
[20:52] <[IA]Morpheus> I wouldn\'t know, I\'m not a programmer.
[20:52] <Abuser> YAY
[20:52] <[IA]Morpheus> If you think we are gonna tell you everything we\'ve done or are going to do then I\'ve got a bridge to sell you.
[20:53] <Abuser> so how you can tell if there are security pathces?
[20:53] <Abuser> Morpheus, i have a client sourcecode
[20:53] <Abuser> and have a people who can supply me with updates
[20:53] <Abuser> of each new version
[20:54] <Abuser> (where my python decompiler won\'t be able to handle optimized bytecode)
[20:54] <[IA]Morpheus> There\'s probably more to it than meets the eye, Fox Mulder.
[20:54] <Abuser> so in relation to client i have the same about of knowledge as you
[20:55] <Abuser> So you insist that security patches are applied to client and client is secure and non-exploitable?
[20:55] <Abuser> Maybe i should release a small hack with portion of eve sourcecode to eve forums that will exploit something?
[20:55] <Abuser> or you will continue to talk that everything is fine?
[20:56] <[IA]Morpheus> Heh, I\'m not saying there aren\'t exploits, don\'t be naive..
[20:56] <Abuser> o
[20:56] <Abuser> there\'s 1 big exploit )
[20:56] <[IA]Morpheus> There are and probably will always be, however we will continue to work against them. What else do you want?
[20:56] <Abuser> and tons of small ones
[20:56] <Abuser> not the ones requiring people to do queue of actions ingame to achieve the result
[20:57] <[IA]Morpheus> And you want this fixed?
[20:57] <Abuser> i\'m talking about the ones, that are coming to light when you are exploiting eve python engine (oh god they said me it\'s impossible)
[20:57] <Abuser> Easiest way was to start using c++ and completely rewrite the code some time ago
[20:57] <Abuser> but i assume it\'s too late
[20:58] <Abuser> so you will not get rid of python injections
[20:58] <[IA]Morpheus> Time will tell, I suppose.
[20:58] <Abuser> but you can think of coding anti-bot routines
[20:58] <Abuser> I wonder if your programmers and qa know at least 1/20 of they ways possible to use to inject the code
[20:59] <Abuser> starting from most stupid approach
[20:59] <Abuser> and ending with ring0 injector
[20:59] <Abuser> trust me
[21:00] <Abuser> you can try
[21:00] <Abuser> ugh
[21:00] <Abuser> you COULD try
[21:00] <Abuser> but nothing was done in this direction for years
[21:00] <Abuser> i know people who are safely botting (first with ocr, then on python code bots) from early years of eve
[21:01] <Abuser> and they also agree nothing was changed in terms to stop or make the bots function wrong
[21:02] <[IA]Morpheus> You know, if you want that to stop you should let us know exactly how those bots function instead of threatening to leak source code.
[21:02] <Abuser> only if i will have public guarantess and confirmation that certain list of things will be fixed
[21:03] <Abuser> confirmation on each exploit
[21:03] <Abuser> otherways - there\'s no sense
[21:03] <Abuser> i\'m not only want to see these things fixes
[21:04] <Abuser> it also requires CCP to confirm that these bugs existed (and exist) over years
[21:04] <Abuser> you understand what i mean
[21:05] <Abuser> i\'m thinking of some patching for trinity graphic engine
[21:05] <Abuser> to show that it\'s possible to make client show much more fps
[21:06] <Abuser> at least in space, during large fights
[21:06] <Abuser> (and that\'s one more stone to the window of your programmers, who must be forgot of such thing as level of details)
[21:07] <Abuser> there are many things - some interesting constants, that should be controlled by server, but they are not; ability to faster change sessions, unloading unnecessary services in runtime when they are not required
[21:08] <Abuser> truth on some strange session roles like viplogin
[21:08] <Abuser> 10 megabytes of code are enough to find a lot of things that should be there
[21:10] <Abuser> *should not
[21:11] <Abuser> And How these bots are functioning?
[21:12] <Abuser> Executing python code inside of eve python interpreter
[21:12] <Abuser>
[21:12] <Abuser> Or calling python api (these are less intelligent ones) to call objects, methods from eve python
[21:14] <Abuser> Untile eve uses python, there\'s no way to prevent these bots from using it too
[21:14] <Abuser> Untile=>*While
[21:15] <Abuser> It\'s possible to catch them, but not prevent from appearing and being more and more intelligent.
[21:15] <Abuser> In near perspective, other people who also have eve sourcecode (not from me) - will be able to release the bot that will be able to keep in control every single in-game activity usual player can do ingame.
[21:16] <Abuser> So only way (if you are not going to stop using python) - is to implement a bot catching routines on clientside
[21:22] <[IA]Morpheus> Well, thanks for all the advice.
[21:23] <Abuser> so
[21:23] <Abuser> i assume there will be no public excuse and to do list of bugs to fix from CCP?
[21:27] <[IA]Morpheus> Not quite, however, we are prepared to talk if you want your EVE Accounts reopened. This would also be a chance for you to give and receive feedback on the horrible bugs and exploits you know about.
[21:27] <Abuser> I\'m not interested in my eve accounts
[21:27] <Abuser> The ones you closed
[21:27] <Abuser> weren\'t involved in testing
[21:27] <[IA]Morpheus> Then we have nothing more to discuss, thank you for your time and have a good day.
[21:32] <Abuser> It\'s was nice you agreed to talk with me.
[21:32] <Abuser> Personal thanks for your patience, Morpheus.
[21:32] <Abuser> Have a good day.
[21:32] <[IA]Morpheus> Sure thing. Farewell.
<[IA]Morpheus> Hi, give me a few minutes to reply to your mail.
<Abuser> Sure
<[IA]Morpheus> Do you have a list of bugs and exploits, the ones that you want us to fix?
<Abuser> 1. List of exploitable clientside things.
<Abuser> 2. Description of ways to exploit python engine (with examples)
<Abuser> 3. Ways to detect the bot(-s)
<Abuser> but
<Abuser> only in case terms i listed during our last discussion yesterday
<Abuser> *case of accepting
<[IA]Morpheus> Can you list them again please so I can run this by some people?
<Abuser> 1. List of places in clientside code that allows to code small client-side hacks.
<Abuser> 2. Descriptions of the ways to intrude in EVE python engine and execute arbitary code there
<Abuser> 3. Ways to detect existing bot(-s) (at least know 1 serious enough)
<Abuser> 4. General ideas to improve EULA.
<Abuser> Only when:
<Abuser> 1. CCP published press release with:
<Abuser> a) confirmation of some bugs/holes existed for years
<Abuser> or
<Abuser> b) publishes in-depth reports on these bugs, and reports on what fixes were made for them
<Abuser> 2. CCP starts work in direction of serverside+clienside bot detection routines, also with public press releases (less detailed ofc)
<Abuser> That\'s all.
<[IA]Morpheus> Alright, give me a few please.
<Abuser> Sure.
<[IA]Morpheus> Going to forward this to someone who can make a decision.
--------------------------------------------------------------------------------
