exploit
Latest
Massively interviews EVE's Lead Economist part 2
The starbase exploit has been some big news lately. How does it impact your ability to assess the state of EVE's economy, and are there assumptions you've made in the past that you need to reassess now?It's a good thing that you mentioned the starbase exploit because we are in the final stages of creating a very thorough dev blog on that, which will hopefully be published very soon. [Note: this interview was conducted just prior to the release of the investigation's findings.]There are certain things with the POS exploit that made it very difficult to detect. You basically needed to be able to go to that particular starbase and look at it, look at the setup and so on. It was difficult for us to detect it otherwise, except from the code once we knew what we were looking for.From a market perspective the EVE economy has become so big that in order for you to impact the market you will really have to have large quantities. And as will be shown in this dev blog that will be published, the scale of the exploit really didn't start until late 2008... to the large industrial scale so that it started to impact the market.
CCP Games releases findings on EVE starbase exploit investigation
The EVE Online starbase exploit revealed in December has had a far-reaching impact on the game. Certain player-owned starbases in EVE were producing valuable, high-end materials that they shouldn't have been. Once a group of players picked up on this, they exploited the game on a massive scale, resulting in trillions of ISK (Interstellar Kredits, the game's virtual currency) that never should have existed being injected into the game. To date, this is the largest economic manipulation (via an exploit) ever revealed in EVE Online. The starbase exploit was the first of several player-triggered drama bombs that hit the game in recent weeks, and resulted in a substantial amount of (in-game) market turmoil and player outcry over the issue. The game's subscribers wanted openness on the matter from EVE's developer, CCP Games, and they've certainly got that as of today. CCP Games posted the results of the exploit investigation, and the caveat "be careful what you wish for" may apply here, given the depth and complexity of the findings conveyed to the playerbase in today's dev blog, "War Makes Thieves and Peace Hangs Them."
Markee Dragon taken offline, MMOwned moving
We've received an interesting report on the WoW Insider Tip Line today. Two large World of Warcraft hacking and account trading websites, Markee Dragon and MMOwned, are offline. Article Update: According to MMOwned, they are moving servers, which is the reason their site is offline for some.Attempts to reach the sites prove unsuccessful.This is a good thing for everyone that wants to have a more legitimate gameplay experience in WoW, as both of these sites actively encouraged people to exploit bugs, break the ToS, and do all other sorts of tom-foolery that destroyed the game for legitimate players.Our tipster mentioned that these sites were taken down in part by action taken by Blizzard, however we don't have any proof of that.I've selected the angry baby picture for this article, since that's how the exploiters and account traders are feeling right now. Buh-bye.
Anti-Aliased: When you can't hack it legitimately, cheat instead pt. 2
It's all the company's fault Yes, it's all their fault that they didn't notice that they misplaced that one period in thousands upon thousands of lines of code. It's their fault that they don't run Salvage 40,000 times a week and check every rock and pebble in Vana'diel. People who make this rationale probably never looked at the innards of a program -- especially an MMO. You have lines of programming being done by multiple authors and you have logs that extend miles long. Even with specialized programs, it takes time to sift through all of that information. Case in point: Square-Enix fixed this glitch in November and banned people in late January. The delay wasn't because they were playing ping-pong in the basement and drinking beer. It was the double-edged decision of first finding who stood to gain on all of their servers, and then deciding an appropriate punishment. That takes time. You know, this probably would have been caught sooner if more people would have stood up and reported it, instead of, you know, trying to conceal it. Then, when they get caught concealing it, they blame the company for not knowing about it. That's just poor form. The game owes me The game owes you what? It owes you for all the time you spent playing it, enjoying the challenges with your friends and engaging in an ever-changing world? Certainly I'm horribly opinionated, but I like to play games for fun. Whenever a game ceases to be fun to me, I stop playing and stop paying. I play because I enjoy it, and I hope other people are out there doing the same. FFXI may be an exercise in sadistic game design, but every player has the chance to walk away from Vana'diel. I did because I didn't have the time and I ended up enjoying the lore of World of Warcraft. If you are at the point that you hate the game so much that you believe it owes you something for your time spent playing it, then perhaps it's time to take a step back from it. There are plenty of other options in the game world. But Square-Enix isn't without fault The voices of the banned are right about one thing though -- Square-Enix has been inconsistent. Some people are getting banned for being in one of these cheating Salvage runs, and others are getting slaps on the wrists. There doesn't seem to be any clear consistency to how they slapped down the punishments. The first part of a reliable punishment is to make sure it's handed out consistently and with appropriate measure. Without that, people second guess if the punishment is truly necessary. It's like if a professor gave you a D on a test just because he didn't like your hand writing. Your answers never mattered, and that's what makes you angry -- it didn't feel justifyable. What it all comes down to Even with Square-Enix messing up like that, it doesn't change the facts. Players knew about the exploit, players attempted to hide the exploit, Square-Enix found the exploit, and players got what they should have known was coming. All of these people had the chance to stand up, call a GM, and say what was going on. If they had and this problem would have been caught earlier, bans probably wouldn't have been mentioned. These people would still have had their accounts. Certainly they would have less gear on those accounts, but it's really hard to use virtual weaponry when you can't log in. Colin Brennan is the weekly writer of Anti-Aliased who can still log into Final Fantasy XI when he wants to. When he's not writing here for Massively, he's over running Epic Loot For All! with his insane friends. If you want to message him, send him an e-mail at colin.brennan AT weblogsinc DOT com, or follow him on Twitter.
Anti-Aliased: When you can't hack it legitimately, cheat instead
It's no secret that I keep my eye on the Final Fantasy XI community. With two friends running an upstanding linkshell on the Bahamut server, I like to know what goes on in the game.The current word on the street is the "big banhammer freakout." The vocal players are talking about what linkshells were hit by losing players caught up in the cheating scandal. But what's interesting are the words being thrown around -- things like "unprecedented" and "uncalled for."A quick jaunt across the street to the loving and cuddly galaxy of New Eden shows that something suspiciously similar happened to corporation starbases in EVE Online, also ending with tears, banned accounts, and the exact same arguments being thrown around the community. "I didn't know it was an exploit," "It's not my fault," "They made me do it," and my personal favorite, "You should have fixed it."So this week's Anti-Aliased isn't dedicated to some developer mishap or some bad piece of game design, it's dedicated to how daft some people are when it comes to cheating.
Did Square-Enix do the right thing?
The Square-Enix bahnammer recently came down onto the Final Fantasy XI community, permanently banning 550 non-RMT accounts that were involved in performing an exploit that has occurred over a two year time period -- an exploit that some say SE was aware of, but never took steps to correct.The exploit in question was only available to linkshells involved several endgame activities. The basic premise was finish the activity and then before the item drops from a treasure chest or monster the alliance of parties would break into their separate groups. For you Warcraft players, a raid would cease to be a raid and break down to the parties involved. Then each of the 3 parties in the alliance would get a copy of whatever items would drop. So, instead of 1 set of loot, you would grab 3 sets of loot -- including some items that could be sold for millions on the auction house.
Mysterious twink rends worlds [UPDATED]
Our inbox has been absolutely flooded with reports of this mysterious twink, Aigni of Ner'zhul, that appeared on the official forums in the last 24 hours. If you look closely at his Armory, you'll notice some pretty big oddities. For one, the character is wielding a weapon he really shouldn't be able to have. Two, the character has some other items equipped that are normally far out of the reach of a level 10, such as the Violet Badge. Three, he has the achievement for downing Gruul the Dragonslayer.A lot of people have called 'hax' on it, but how it went down was probably more innocent than that. Not completely, entirely innocent, but more innocent than hacking Blizzard's Gibson. Our first instinct when looking at the items is that he must have simply completed a few bugged quests that had no minimum level requirement. Looking at his achievements killed that theory pretty quickly, though. The sword he's wielding, the Combatant Greatsword, is from a quest in the Borean Tundra. According to his achievements, he's never been to the Borean Tundra.
Nokia issues SMS Cleaner to cure 'Curse of Silence' bug
If your Nokia S60 handset has been stricken by the oh-so-cold 'Curse of Silence,' you'll probably want to pay attention here. Nokia has just loosed the SMS Cleaner on the world, not even a full month after the aforementioned exploit arrived on the scene. The handset maker claims that the application can "clean a Nokia S60 3rd Edition (Initial or Feature Pack 1) based device, which may have received a so called 'Curse of Silence' SMS message, and thereby restricted from receiving any new SMS messages." Installation looks to be pretty straightforward, and the file itself weighs in at a shockingly light 42KB. The read link's where it's all at, so head on down and get your sure-to-be-brief download on.[Via IntoMobile]
Safari RSS vulnerability might reveal your personal data
This vulnerability is patched in the 2009-001 security updates.When reports of security issues in Apple's Safari browser come over the transom, they get our attention. When they're exploitable in both the Mac and Windows versions of Safari, they get our full and undivided attention. When the person reporting them is Brian Mastenbrook (credited with discovering multiple previous vulnerabilities in Mac OS X)... well, someone shut off that damn klaxon and let us get back to work. In this case, the issue is that a hole in Safari's handling of RSS feeds could allow an attacker (via a malicious web page) to capture a user's personal information, cookies or even passwords. While Brian has not posted more details of the vulnerability publicly, he has acknowledgment from Apple that the issue exists; hopefully we will see an update soon that closes this hole. In the meantime, although Windows Safari users are advised to use a different browser to avoid the vulnerability, Mac users can simply set an alternative RSS feed handler to work around the issue. Update 1/14: Per Brian's further research, the workaround below is not adequate to protect against the vulnerability, as Safari also handles URL types of 'feeds' and 'feedsearch,' which cannot be set to alternative handlers within Safari itself. The revised workaround calls for the RCDefaultApp preference pane, which does let you redirect the other URL types. To change your feed handler, go to Safari's Preferences and click the RSS button. If you have any other capable feed reader on your machine, you can select it from the list (if your menu looks like mine does in the screenshot, you have a serious problem with RSS reader addiction and you need immediate help). Don't have another feed reader available? NetNewsWire and NewsFire (and the open-source Vienna, cited repeatedly by our commenters) are free for the downloading, as is the Reader Notifier helper app that interacts with Google Reader -- for the purposes of getting around the vulnerability, it doesn't matter which application you choose as long as you don't leave it set to the default of having Safari do its own RSS chores. Note that the vulnerability apparently does not require you to open a feed in Safari to be affected -- a specially-constructed webpage is capable of triggering it.RCDefaultApp settings for "feeds" and "feedsearch" also need to be modified. Thanks to Brian for the heads up & everyone who sent this in.
Player perception seemingly shifting in Age of Conan
A lot of time has passed since Age of Conan launched last May and while some things never change, it seems like the player perception of FunCom's slightly misfired MMO doesn't want to play by the rules. It's a good thing, though, as a small poll seems to be showing. Now, we say small because the actual statistics in question only represent about one-to-two thousand participants. Still, as a snapshot of a community, that's not too bad.So what's the overall verdict? Bugs, exploits, and stability have all seen rises in ratings over the course of three months. The votes have also tilted in favor of communication and content for FunCom. So while we stress that this isn't super-scientific by any means, it does point to more improvements and overall up-trending for a game that saw some pretty rocky rapids just three or four months ago. Having fun in Conan's homeland? Make sure to check out all of our previous Age of Conan coverage, and stick with Massively for more news from the Hyborian Age!
Scouting around with the Crashin' Thrashin' Racer
Cabinetsanchez over on LJ has documented something that I saw in action yesterday while running a few instances -- while it's a ton of fun to run my Crashin' Thrashin Racer around (I'm undefeated since I picked up the achievement the first day I got the toy, by the way), players have found a few extra ways to make the Racers work for them. Yesterday, I saw one of my group members using the Racer a few times to scout the instance ahead and see what pulled with what, and as CS says, it worked great: while the Racer will aggro enemies, they won't tag on to the rest of the group -- they'll just reset after they destroy the little car.CS also says that the Racer takes no falling damage, so you can send it exploring off of cliffs and platforms, and he says that though the car is considered level 60, its aggro range is pretty small (I can attest to this, as we were driving it pretty close to enemies yesterday without it registering on their radar). And he's got an even more devious use (some might say this is an exploit): bosses aggroed by the racer will sometimes despawn after they conquer it for up to 30 seconds or so. That seems like a hotfix waiting to happen, but I haven't personally tried it, so it may not be as useful as it sounds.The downside of this is that the Racer was meant to be a fun item, and if it really does lead to behavior that Blizzard considers exploiting, they might have to think twice about including great items like this in the future. We'll have to see what their ruling on this is, but hopefully no matter what happens (I'm guessing a quick hotfix, maybe even shrinking the range of the Racer's controller), this won't prevent Blizzard from giving us more fun toys later on.
'Curse of Silence' exploit squelches inbound SMS/MMS to Nokia S60 devices
Here's an odd one for you. Tobias Engel of the Chaos Communication Congress has discovered a rather nasty exploit that'll cause any Nokia S60 devices running versions 2.6, 2.8, 3.0 or 3.1 to stop receiving SMS and MMS messages. The "Curse of Silence," which has been independently verified by F-Secure, is triggered by sending an SMS that begins with an email address that's at least 32 characters long. The attacker must also change the protocol identifier to internet electronic mail before sending. Devices with versions 2.8 and 3.1 lock up after 11 such messages and still have some limited receiving capabilities, while 2.6 and 3.0 devices will go completely mum after just one attack. In both cases a factory reset is required to fix it, and he says there is no other known workaround for the user. We don't imagine this being a pervasive issue, but if you've got any tech-savvy enemies or malevolent pranksters in your life, you've been warned. Video demonstration is after the break, or hit up the read link to see if your device is among those listed at risk.[Via Hack a Day]Read - Vulnerability AdvisoryRead - F-Secure Verification
Linden Lab suggests viewer security vulnerability disclosure group
Over on the Second Life viewer development mailing list, there's a spirited discussion in progress about the suggestion of a notification list for viewer security vulnerabilities. The principle idea is that distributors of third-party viewers would get slightly earlier notification of vulnerabilities and exploits in the viewer code so that they could have secured versions of their Second Life viewers available to the general public at approximately the same time as secured versions of the first-party viewer become available. Linden Lab has invited debate on what sorts of people it would be reasonable to disclose the information to (for example, perhaps only those who had signed a non-disclosure agreement). The topic has, naturally enough, brought out considerable debate as to whether such a group is necessary or even desirable.
DDO's Shroud exploit closes raid until patch
After "widespread griefing of players by other players using a game exploit," Turbine decided to finally take down the Shroud raid in Dungeon and Dragons Online to prevent further use of this exploit. This level 17 raid was introduced with Module 6 and through the bug, allowed a single cleric to deny other party members completion and the part 4 chests.Although community reaction to the shutdown is mixed, as is expected, Turbine says the raid's issue will be fixed and the Shroud will be reopened on the next patch, which could come as early as next week.
Exploitation and the demise of Heroic Leap
There was a time in the beta of Wrath of the Lich King that Warriors everywhere were excited little special snowflakes. They had not one but two, count 'em two, special talents: Heroic Leap and Titan's Grip.While the dual wielding goodness/badness that is Titan's Grip continues today, Heroic Leap was removed mid-beta with Warriors everywhere screaming and crying. Yours truly shed a tear. I loved leveling through the Howling Fjord and Dragonblight with Heroic Leap at my side. One press of a button and bam – I'd be raining down upon my enemies with my plate shining and dual two-handers blaring.Its demise has always been speculated upon. Many thought that the skill just provided one too many ways for a warrior to quickly move about the world. Others thought that it was due to it being too over powered in PvP. Still others thought it had to do with exploitation of the terrain.
iPhone bug a potential threat?
There's a lot of "could" and "might" in this story, folks, so keep that in mind. MacNN is reporting that a group of iPhone developers has identified a bug in the current iPhone firmware that could lead to an exploit of the Default.png file. Default.png is what's displayed when an application is launched in the iPhone. Typically it's a static image, but some of Apple's applications use a dynamic file, which could be fooled into granting access to third party code. This sounds like conjecture to us, and MacNN's sources are not known, so keep that in mind. Plus, iPhone firmware 2.2 is rumored to be released on the 21st. Perhaps it will lock this down.
Gold farmers connected with $38 million money laundering bust
We've heard about gold farmers tangling with the law before, but this is pretty extreme from initial accounts we've turned up. So while a few of the details coming out of Korea are still a bit hazy, it seems a money laundering operation (working with gold farmers and MMO account thieves) was busted this week while trying to move $38 million between Korea and China. The Seoul Metropolitan Police Agency stated the operation was headed by a man named Jeong who, with a number of other individuals in Korea, was caught wiring the $38 million in illicit funds. Korean news site dongA reports: "Jeong and his ring reportedly sold the game money illegally produced in China using cheap labor and virus programs. They are believed to have taken a commission of three to five percent of the money traded to purchase game money."
Fable 2 Pub Games receives patch, gold exploit fixed
It appears that the "intentional" money-grubbing exploit in Fable 2 Pub Games was a limited time offer -- the game's development team has followed through on their promise of an update for the XBLA companion to Lionhead's upcoming action-RPG, removing the gold-garnering glitch and resetting the Fortune's Tower (the aforementioned glitched game mode) leaderboards. Mercifully, they've apparently allowed the title's nefariously wealthy exploiters to keep their piles of loot. We'll see if it was worth it when their Fable 2 characters are mysteriously stricken with an incurable case of dysentery -- provided Molyneux's threat wasn't just a bluff.
Molyneux: Pub Games 'glitch' intentional, with consequences
While we're sure you've already constructed your Scrooge McDuck-esque pool of golden, nefariously-obtained Fable II Pub Games earnings, Peter Molyneux might be preparing to pull off the biggest gamer prank since the anti-Spore Rick Roll. According to a quick blurb in IGN's Fable II preview, "Just be warned. Molyneux has said that the cheat was no accident and that those who used it to earn their money will be in for a surprise." Something tells us that "surprise" isn't being filthy rich in-game. Is he bluffing? We'll find out soon enough when our sea of coins is quickly drained from under us. Fable 2 is due out October 21. Need more Fable 2? We can't blame you. Check out our hands-on with the first three hours of the game, as well as our interview with Peter Molyneux, in which he talks about his game, Too Human and Lionhead's "shocking" secret project.
EVE exploit warning affects corp infiltration practices
War declarations are an essential part of EVE Online. They allow corporations and alliances to fight for control over resources, territory, or simply to get revenge on their rivals. Then again, others declare war for the opportunity to grief in Empire space. Perhaps it's this latter tendency that prompted the latest announcement from CCP Games. They're branding the monkeywrenching of rival corporations during wartime as an exploit. GM Grimmi states: "The practice of insta-joining/leaving warring corporations for the purpose of surprising war targets, or getting them in trouble with CONCORD, is considered an exploit from here on. Reports of this will be investigated on a case by case basis and warnings will be issued at the discretion of the GM. Repeated incidents may result in bans on accounts involved." This doesn't seem to apply to 'normal' corp infiltrations, though it does beg the question of why a corporation at war would even be accepting new recruits at all. What's the protocol in your corp, do you continue to accept applicants into the fold during a wardec, or is the risk of alt spying and sabotage too great?
