What client side implementations are you striving for? Where do you plan on fixing the "the holes"?

Why not undertake current systems in use EG: punkbuster, VAC. What plans do you have for MACRO type bots EG: Mouse tracing etc? (Why is not not possible to implement "monitors" akin to what browser analytics use? Essentially take a fingerprint of actions and movements taken?

I see the largest problem as the client side python injections...as people can upload their own scripts to program their own AI.

What sort of security features are there for packet transfers?

Granted there will always be exploits, but to reiterate whats the overall plan?

Some courier bots run on trial accounts with virtually untrained pilots. A ban of such an account seems like it would not be a deterrence, even if you upped it all the way to a one strike perma-ban. The botter can easily start a new trial. Any ideas on what would be a deterrent to these botters? All I can think of is isk removal from whatever account collects the isk.

In the security panel, something was mentioned about besides attacking bots directly(which is good), to alter content.

ie. If the current pve content (watching three bars turn red while orbiting) or staring at lasers punch rocks for hours is whats giving people a reason to bot, that it was something worth looking into.

any comments on this?

I think some people probably bot because of how repetitive certain pve activities can be.

Bot war report: Jita price trends.

Minerals: rather stable. Actually as some bots increase mineral supply, and others, via "earning" isk eventually increase mineral demand, we may not see much effect here.

Ice: Some upward movement in isotope prices. These moved up about 10% a week ago, then stabilized at the new level.

PLEX: Bot accounts consume PLEX, but the price has only dropped a tiny amount in the last week.

Implants: I checked attribute implants. Basics (+3) have increased a bit, others have been stable.

Overall the effect on the market has been tiny. All I'm seeing could easily just be normal market noise. To date the idea that bots are needed to make the EVE economy work is not supported by market data at any level.

CCP Sreegs: Some courier bots run on trial accounts with virtually untrained pilots. A ban of such an account seems like it would not be a deterrence, even if you upped it all the way to a one strike perma-ban. The botter can easily start a new trial. Any ideas on what would be a deterrent to these botters? All I can think of is isk removal from whatever account collects the isk.

We're not going to go into deep details about the specifics of our implementation. We chose not to use an external vendor for various reasons I also don't want to get into, but basically I think we can do a better job in-house. We are aware of OCR bots and have plans to deal with them. Python injection as well.

We're not going to go into deep details about the specifics of our implementation. We chose not to use an external vendor for various reasons I also don't want to get into, but basically I think we can do a better job in-house. We are aware of OCR bots and have plans to deal with them. Python injection as well.

What we're going to do is over time give you guys some more information about the research we're doing to institute additional security in the form of dev blogs or whitepapers. We will not, however, be documenting specific controls.

Furthermore does CCP issue "hardware bans"? If no why not? I rather liked Curt Schilling's (Or who ever that guy is creating a new mmo) analogy. "If someone at Disneyland is being disruptive or what have you they kick them outta the park they dont put time in time out" .

This has been discussed but I don't recall how deeply. It's on my list to discuss later. I will say that we are paying careful attention to any areas where one might be able to throwaway and mass generate isk making characters in short periods of time. (Game Design)

It takes very little effort to spoof a good chunk of hardware IDs on your computer.

It's low sec, name the system. I'm sure some vigilantes will want to visit from time to time.

We are aware of OCR bots and have plans to deal with them. Python injection as well.

[20:33] <Abuser> Why not to add client-side routines to detect bots?
[20:34] <Abuser> Why using petitions?
[20:34] <Abuser> People can lie, people can put a bucket of dirt on player who never violated eula
[20:35] <Abuser> And he will be banned, if petition will contain only right details describing the things you will never log, but that are surely be bot\'s actions
[20:36] <Abuser> EVE Clientside is enough to put bot-detecting routines there
[20:36] <Abuser> you can even use
[20:36] <Abuser> your spyware approach
[20:36] <Abuser> similar to when downloading PC identification python object during authentication as payload
[20:37] <[IA]Morpheus> Let it all out, I\'ll be sure to forward the conversation to all of our programmers, if thats what you want.
[20:37] <Abuser> No, your programmers are just following the plan
[20:37] <Abuser> they aren\'t that bad guys who caused all this anarchy
[20:37] <[IA]Morpheus> Care to tell me who did?
[20:38] <Abuser> Those who plan eve development and/or who decide the priority of client upgrades to be implemented.
[20:39] <Abuser> Currently Shiny Features have more priority than solidifying security and fixing bugs, from what i see
[20:40] <Abuser> Or how else you can explain the ability for the bots to use same approach to exploit eve engine as when previous sourcecode leak was?
[20:41] <Abuser> Nothing changed to prevent this?
[20:41] <Abuser> But we\'ve got tons of content patched
[20:41] <Abuser> but still lagging jita and deadly lagging blobs
[20:41] <Abuser> but from patchnotes i see that these things aren\'t your priority
[20:42] <[IA]Morpheus> I see that your intentions are good but this isn\'t playing out nicely for either parts.
[20:43] <Abuser> Guys, theres no other way that will play better.
[20:43] <Abuser> You simply ignore community requests to fix the core of eve, rather than add new coats to it, to make community forget about the bugs.
[20:43] <[IA]Morpheus> I despise bots and hacks over everything, but this is also a business, we\'ve got developers designing content and EVE needs to grow. I know for a fact that there are programmers working on security, more than that I can\'t really say.
[20:43] <[IA]Morpheus> If you think we are releasing new content to make you forget about bugs then I\'m not sure what I can say to convince you.

We will not, however, be documenting specific controls.

I know I'm in kind of a tough spot and I understand your frustration. Our plan is to be as open with you guys as we can be and we've got a lot of good ideas circulating around the team about how to do that. One other thing we need to be careful about is prematurely trumpeting success. There's at least one bot site you could look at right now that isn't selling its bot or allowing it for download. Why? It's not because they've suddenly decided to be good citizens it's because we were banning them.

It's ultimately a game of cat and mouse however and we'll need a few more weeks to research, action and examine before we're ready to start tooting horns. You'll be the first to know about it when we are though.

Maybe I am reading too much into that reply but of the three most important bot categories you list only two.

What about plain process injection/hooking (whether this is done via InnerSpace or otherwise)?

Maybe I am reading too much into that reply but of the three most important bot categories you list only two.

What about plain process injection/hooking (whether this is done via InnerSpace or otherwise)?

Both (combat) mission bots I am currently aware of hook into the EVE client via InnerSpace - and if I were concerned about the health of the game that's the group of bots I would be most worried about.

Missions running bots would be pretty painful to construct based on an OCR system & hardening the EVE client against Python injections looks like a relatively straight-forward task.

(( start rant:

and I don't understand why this hasn't been fixed long ago - not like some guy calling himself "Abuser" did make CCP look like a fool in 2008 by publishing decompiled client code, pointing out the security risks of Python injections and asking "Why not to add client-side routines to detect bots?"



yes, Ladies & Gentlemen, that was April 2008 - almost to the day 3 years ago.

edit: according to CCP's favorite persona non grata the "previous sourcecode leak" took place in 2006 and was accompanied by the release of a Python-injection based mining bot. I am too lazy to verify this as almost all Google results seem to reference the 2008 leak.

))

Mining bots & ratting bots will always create some customer outcry because they operate in plain sight and compete with human players over scarce resources - but for the same reasons they are easy to detect and it is relatively easy for players to take action against them.

Mission running bots compete in a much less obvious manner with human players (overall inflation, ISK/LP ratio, prices of meta 1-4 modules) and their interaction with other players is usually limited to bumping into each other at the station undock (+ the occasional ninja salvager).

One system can only support so many mining or ratting bots - but one agent can support any number of mission running bots (and I don't believe dynamic agent quality will ever be implemented in a fashion that is harsh enough to change this qualitatively).

Hooking into the EVE client process allows for extremely sophisticated bots, is currently used for the most dangerous bots (imo) and is relatively hard to prevent without really invasive anti-botting tools (don't know about the EVE specifics but I have a rough idea how malware usually achieves its goal of hooking into system processes) - yet it is the one thing your reply doesn't even mention at all.

(disclaimer: I don't know InnerSpace well enough to be 100% certain that it doesn't use Python injection internally but I don't see any reason why it should have to)


we'll read about the specifics a few weeks later on the forums frequented by bot authors, anyways.

You know of python bots that don't use process injection?, i did'nt think it was possible to make any kind of python injection without using process injection.

How do you feel about the tactics used by that guy (can't recall the name) in the previous thread, viz doing a few basic checks to see whether they're complying with the laws in their local jurisdiction with respect to business registration, taxes and so forth.

Setting the local tax authorities on the bot sellers would be an extremely effective way of interdicting or restricting their operations, with the additional benefit of providing much satisfaction to those of your customers who do pay their taxes and wish that everyone else shared the joy of the experience with them. Assuming that CCP Hf is itself all up to date in this respect, it seems like there would be no down side to ******* with these guys in this way.

EDIT: Time spent arguing with the inland revenue and the customs and excise people (dunno what they're like in the US and Iceland, but in the UK, the Customs guys can be really mean. Can you say "no presumption of innocence"?) is time not spent updating their bot code.

Done

In all my years as an online person, player of countless online universes and prowler of many large community forums, I can honestly say that I have NEVER been hacked. Now, this might be a one in a billion fluke, but I'm pretty sure that if you get hacked, the reason is you or your vicinity.

i had my account for another mmo "hacked" once, they brute forced my password (my pc wasnt infected and i dont visit dodgy sites anyway) thankfully i was online doing some crafting at the time and was able ot quickly relog while changing my password with a clean system, so they got nothing from me other than a username, which was always the weakest part of my login info anyway. saying that its everyoens own fault when they get hacked is stupid, sometimes it doesnt matter how paranoid you are about online security you are you will get hacked, thats why they call it brute forcing

It was not your fault the your password was so weak they were able to brute force it?

So, do you guys still want me to continue updating you all on the activities of the bot forums? I'm not gonna lie, it was fun.

I might have to make my own thread though...up to you, Sreegs.

So, do you guys still want me to continue updating you all on the activities of the bot forums? I'm not gonna lie, it was fun.

I might have to make my own thread though...up to you, Sreegs.

So, do you guys still want me to continue updating you all on the activities of the bot forums? I'm not gonna lie, it was fun.

I might have to make my own thread though...up to you, Sreegs.

3. Brute force attack - Ok this is technically not your fault, sorry those who think it is but it's not.. a brute force attack simply runs through both a dictionary attack followed by random number and random letter attacks.. starting at the lower limit of the number set by the person running the BF attack (typically 4 - 6 characters) and ending at the largest (typically 10 - 12) however these attacks typically become rather obvious and should be noticed by the server side protection software.. I mean if you can't get your password right after the 50th time somethings up right?

So, do you guys still want me to continue updating you all on the activities of the bot forums? I'm not gonna lie, it was fun.

So, do you guys still want me to continue updating you all on the activities of the bot forums? I'm not gonna lie, it was fun.

I might have to make my own thread though...up to you, Sreegs.