Greetings, glorious testers!
Check out Alpha Two Announcements here to see the latest news on Alpha Two.
Check out general Announcements here to see the latest news on Ashes of Creation & Intrepid Studios.
To get the quickest updates regarding Alpha Two, connect your Discord and Intrepid accounts here.
Check out Alpha Two Announcements here to see the latest news on Alpha Two.
Check out general Announcements here to see the latest news on Ashes of Creation & Intrepid Studios.
To get the quickest updates regarding Alpha Two, connect your Discord and Intrepid accounts here.
Anti-botting systems, why GMs aren't enough
Vissox
Member, Alpha Two
I worry a lot about bots in Ashes, as we know from other MMO's they hurt the economy, but in AoC they have the potential to change the outcome of entire nodes, via their repetitive actions. For example (based on my albeit loose understanding of how nodes will work) a bot could chop a lot of trees for wood, making some Ent creatures upset. My point is bots have even more influence in a game like ashes.
I think the discussion about botting/cheating must be had sooner than later, as game security can make or break a game.
While GM's can deliver decisive verdicts on bots, more bots can be made than accounted for. Luckily, there are some ideas out there.
1.) In-game captchas. It is slightly intrusive to gameplay, but it makes botting extremely tedious. Someone would have to constantly monitor all the bot accounts to see if a captcha pops up, or risk them pausing all botting action until returning to the setup. The captchas could pop up occasionally when you open a crafting menu, enter a dungeon, talk to an NPC, ect. A balance would need to be found between keeping it effective against the botter, whilst minimizing annoyance to the player.
2.) Attaching a cell phone number as a requirement for account creation. This is less intrusive upon the actual gameplay than the above option, however it still carries complications. Some people unironically don't have cell phones (myself included XD), and should a phone number be tied to the account, any number change could potentially screw another customer from playing. that being said, you could add a "you can only change every 30 days" type feature.
3.)HWID Bans. Any bot that is banned would also wipe/lock out any other bots running on that system. I think this is the best option.
There are probably other ways to solve botting/cheating/hacking issues, those are just a few I know of.
To sum it all up, I want this game to be great, and I know it can be. But security is just as huge as gameplay! Ty for reading.
I think the discussion about botting/cheating must be had sooner than later, as game security can make or break a game.
While GM's can deliver decisive verdicts on bots, more bots can be made than accounted for. Luckily, there are some ideas out there.
1.) In-game captchas. It is slightly intrusive to gameplay, but it makes botting extremely tedious. Someone would have to constantly monitor all the bot accounts to see if a captcha pops up, or risk them pausing all botting action until returning to the setup. The captchas could pop up occasionally when you open a crafting menu, enter a dungeon, talk to an NPC, ect. A balance would need to be found between keeping it effective against the botter, whilst minimizing annoyance to the player.
2.) Attaching a cell phone number as a requirement for account creation. This is less intrusive upon the actual gameplay than the above option, however it still carries complications. Some people unironically don't have cell phones (myself included XD), and should a phone number be tied to the account, any number change could potentially screw another customer from playing. that being said, you could add a "you can only change every 30 days" type feature.
3.)HWID Bans. Any bot that is banned would also wipe/lock out any other bots running on that system. I think this is the best option.
There are probably other ways to solve botting/cheating/hacking issues, those are just a few I know of.
To sum it all up, I want this game to be great, and I know it can be. But security is just as huge as gameplay! Ty for reading.
1
Comments
Of course, do all kinds of other secret things to catch and ban cheaters, too.
They were originally, but as they are a tool for training AI, one cant be surprised when AI outsmarts the tool it was trained on.
Cell phone numbers are easy to get around. Some Korean games require the Korean equivalent of a social security number to register an account, and this does nothing to stop botting.
Hardware bans are fairly standard practice.
It is worth noting that what ever tools Intrepid implements, they will not tell us about. The more we know about them, the more botters know about them. The more botters know about them, the easier it is for them circumvent them.
Developers that implement customer facing "bot prevention" are actually doing little more than trying to appear to be doing something to prevent bots. All of the effective bot prevention happens in a place us players should never see.
Remember when K-2SO bitch-slapped Cassain Andor?
You’re on thin ice. 🤪
1. It's annoying to real human and not effective to bots as I know.
2. I don't think this is effective way to bots, but definitely effective to gate human players out.
3. As I know this way is not effective to gate bots anymore and sometime can lock away someone irrelevant.
They are far more concerned and invested in this than we as consumers are because if the game is compromised they have everything to lose whereas we as players would move on to the next game, MMO or otherwise.
#1 - Pointless bots can bypass these with a growing efficiency. Also this would become an annoyance to players and players would simply not play the game.
#2 - This does nothing to help anything since there are many people with either dozens of phone numbers, or online phone numbers. It costs nothing to get a several online phone numbers.
#3 - This doesn't work. There is a person in the Ashes Community who has already demonstrated how you can ger around 99% of HWID bans in just a few minutes.
Without the first, it will never matter. In our current age, bots basically cannot be defeated.
At worst, you make 'writing a bot' more expensive or complicated. Or you make the bot less effective. Neither of these will meaningfully reduce botting (the people who write the expensive ones will just deploy more instances in order to get their money's worth, and the lack of competition from poorly written bots will make this easier for them).
The Security team can never tell us what they do to catch bots, because the bot coders will immediately work around it.
This is best left to the Senior Economy designer when they join the team.
i agree, tradeless economy sucks ass. i think the lost ark action house sucks.
So perhaps we need to somehow drive the cost of botting too high to be profitable, while at the same time making sure players feel they are paying an appropriate price for the game. The problem I have with the "leave it to the senior designer statement" is they have to deal with these exact same problems that are found in the options I listed above. If we as players don't know how to fix these problems, there is no guarantee the designers do too. We should all be brainstorming the best way to handle this situation, these developers really do take in account player feedback, and the more ideas we have the more likely it is we find a working one.
In all arrogance, I, for one, know exactly how to fix these problems in most games. I could make some guesses for Ashes. But that would be 'me designing their economy for them', and I already offered the two main methods I know from that side.
Similarly, my security analyst knows quite a bit about how to handle the other side, but you wouldn't want her discussing that sort of thing on forums.
If the security you propose only works if botters are unaware of how it works, it's not very secure is it? People always figure out what's going on, the best idea is one that can't be circumvented, regardless of whether it is publicly known or not.
I will divulge one secret, technically, because it's the one that doesn't matter.
The best bot detection method is the one where the enforcement is inconsistent.
If it's 50/50 odds whether or not any given bot will be banned for an action on a given day, and the reason given is 'suspicious activity', chances are the bot has more than one 'suspicious activity' they engage in.
The botter doesn't know which of the things they do, is the problem. They therefore have to spend more time, and 'randomly' lose accounts.
It's slower, but blanket 'do this and get banned' can be decoded easily by counter-analysis, and once that is implemented properly, the arms race continues. The better method is to obfuscate everything. That's why you just hear 'we will be using multiple methods to contain and detect this behaviour'.
Most bots, especially in PvX games, only do meaningful HARM at very specific parts of the economy and the game. The more time a given 'bot station' invests before it gets junked, the 'better off' certain functions are. This doesn't apply to player reports of suspicious activity, just the autodetected ones.
But bots themselves, you will NEVER win if they know what you are doing, or even have an inkling what you are detecting them by. We're talking about things that detect changes in pixel colors on screen, and have random func responses to those pixel colour changes by calling the internal mouse-click functions. You can write these at home. The game itself is a Finite State Machine, just make your own bot be one too, and it will sometimes not be distinguishable from a human player for a very VERY long time.
You don't want to start an arms race with advanced bot programmers. Pick off people randomly, watch their account behaviours through GMs, etc. Never let them know you are 'on to them' or that 'X behaviour is definitely considered botting'. They'll just figure out how to mimic the most efficient or repetitive player instead, and make the detection draw closer to banning legitimate players. It's already in their best interest to look as much like regular players as possible, so 'watching a stream and then copying a streamer's play' is a good way to push the hand of the security team.
Or, the security team could just ban for 'suspicious activity' and never explain what exactly that means.
The idea is that the less certain the opposition is about your abilities, the more cautious they have to be.
As for me, I am still considering how a Guild, call them "The Purifiers," might be devoted to increasing the costs of botting and selling gold, goods, and accounts, in part by harrassing suspected Bots and their Merchants.
flagged accounts will not get trading blocked lifted without GM
also all gold and items that is gathered during the new account restriction should be bound for that character only (so the bot cant dump all it has right when the blocked trading is lifted if it doesnt get flagged)
the goal is to increase the time it takes for the bot to be able to start making saleable goods for real money
― Plato
For example, if there were, perhaps well after Launch, the minimum subscription fee were 90 days in advance, that would function like a box fee.
In the other hand, if it deterred more people to start the game than Bots discouraged from play, that would be a huge negative.
In general, though, strategic uncertainty regarding Bots is Intrepid's best friend. Just count me in on the "Botlerian Jihad."
You can read more on it here, on the wiki!