Exploits and ...bans?

For a game that will rely on a player ran economy and pvp exploits, botting, such as exp gain from glitchy mobs, duping of assets, basically any exploit or cheat that gives a player or guild an advantage will be a game killer. There's even open recruitment to "Exploiters" guilds, this could be a troll, I don't know. At the end of the day the common player is going to have to have trust that the game is fair, even if the game is fair if that trust is gone then those players will leave.

I don't know what defenses are in place and I shouldn't know. But they can't balance exploits, and balancing an economy to offset bots kills half the life skills in the game. You can build the most wonderful game with pretty graphics, amazing mechanics, and top notch systems, but cheaters will destroy it if they can, just because they can.

Two big things they could do and they should do is:
1. No time cards. These are used by exploiters/botters/cheaters.
2. Verify actual ID like what's done in Korea. This is extreme I know, but there's too much money to be made in exploiting MMOs. No matter the resources that Intripid throws at combatting this, they won't win without extreme measures.

Find more posts tagged with

Comments

Noaani

Volgaris wrote: »

Noaani wrote: »

Volgaris wrote: »

Maybe this is the crux of the disagreement, you believe security doesn't work completely so it's not worth doing and/or these efforts will have no effect.

No, in regards to VPN's i believe some people have perfectly valid reasons for using them, and since they aren't going to do anything at all to stop serious offending, on balance, it isn't worth it.

If there were no valid reasons for using them, then there would be no harm in blocking them.

Detecting bot farms using a custom VPN is indeed quite difficult. That is why those companies do this

No need for a strawman argument... Give me an example of a company requiring valid ID to gain access to a service or product that failed because they required valid ID.

I uave a better idea - name a company that operates online and does what you say.

The reason I am flipping that around is because I can't think of a single company that actually uses identification services as a hard requirement. The only organizations thst do are government based.

Given the option I'd play on a server with verified players.

Intrepid have no way to verify who I am.

okay, cool cool cool

I'm going to assume this is just your way of trying to get out of answering the question of naming a company that uses the services you are talking about as a hard requirement - because you can't, because none do, because it is a bad idea, because those companies are not trustworthy and no legitimate company would want to partner with them.

Volgaris

Noaani wrote: »

Volgaris wrote: »

Noaani wrote: »

Volgaris wrote: »

Maybe this is the crux of the disagreement, you believe security doesn't work completely so it's not worth doing and/or these efforts will have no effect.

No, in regards to VPN's i believe some people have perfectly valid reasons for using them, and since they aren't going to do anything at all to stop serious offending, on balance, it isn't worth it.

If there were no valid reasons for using them, then there would be no harm in blocking them.

Detecting bot farms using a custom VPN is indeed quite difficult. That is why those companies do this

No need for a strawman argument... Give me an example of a company requiring valid ID to gain access to a service or product that failed because they required valid ID.

I uave a better idea - name a company that operates online and does what you say.

The reason I am flipping that around is because I can't think of a single company that actually uses identification services as a hard requirement. The only organizations thst do are government based.

Given the option I'd play on a server with verified players.

Intrepid have no way to verify who I am.

okay, cool cool cool

I'm going to assume this is just your way of trying to get out of answering the question of naming a company that uses the services you are talking about as a hard requirement - because you can't, because none do, because it is a bad idea, because those companies are not trustworthy and no legitimate company would want to partner with them.

I didn't read it. Only read the first sentence on this one. You can't provide anything of value to the conversation anymore. You used made up stats, argue it's too hard, people don't want it, you can't trust companies, strawman replies, cherry pick, ect ect. It's nothing of substance, it's anecdotal and opinion. I understand your opinion and no longer have an interest in it. I've given up trying to get actual data and facts from you. Maybe this will be more clear to you than just 'okay, cool cool cool'.

Mag7spy

OrcLuck wrote: »

I believe giving a temp ban for a testing session would be an appropriate punishment. I don't think they should be in any way banned long term. They did a goof, and messed up a serious test environment. This is a vulnerability that was open in it's ability to be exploited...but it's also adding noise to useful data. Securing the errors creating those exploitable situation pushes back timelines for gathering data on that. Nothing to sweat, but certainly worth telling players to knock it off with a sincere gesture of a reprimand.

Issue is for some of these people its not the first time doing it, and they killed an entire server in phase 1

Noaani

Volgaris wrote: »

I've given up trying to get actual data and facts from you.

I don't know what more you want.

I told you over a week ago that those companies are not to be trusted. I said that instead of taking my word for it, you can simply google those companies in relation to fraud and see for yourself.

I am not asking you to believe me, that is why I am giving you very few facts. I am giving you enough for you to go and find out for yourself so that you don't need to believe me.

Tell you what, I'll just give you the results of the first 30 seconds of looking in to the first company on your list from earlier.

Jumio, founded in 2010 by Daniel Mattes, who in 2019 was charged with fraud. This fraud charge also caught up Jumio's CFO, who settled the case against him for $420,000. In 2016 the company was declared bankrupt, and acquired by an equity fund (ie, all data they had collected was now owned by said equity fund). Jumio is also currently (I believe it is still ongoing) dealing with charges due to it's mishandling of biometric data in relation to Binance.

This is not a company I will willingly allow to have any information on me at all.

So, really, don't take my word for it, don't ask me for the information. I've told you what to look for, go and look for it instead of continually insisting that your idea has merit. It does not have merit.

daveywavey

Volgaris wrote: »

To track every asset generated by a player you'd need every generated asset to be saved in the database with a unique ID of the player who generated it. Such as a piece of common copper. So if the player that generate that copper from the copper node was banned as a bot that piece of copper could be removed, regardless of who has it at the time of deletion. If that ore was used to make a weapon do you delete the weapon? This solution is more difficult to the Nth than other solutions to combat cheating. I'm not sure if that's exactly what you were getting at.

Do they not need to do that anyway in order to see which item is in which inventory? If every piece of Copper in the game was the same, then the second anybody sold one, it would sell all of them across the server.

So, if all pieces of Copper are separate, and if they already have their own unique ID, then you'd just simply add a couple of fields for the players that created/found/etc it and for the player that currently owns it.

Noaani

daveywavey wrote: »

Volgaris wrote: »

To track every asset generated by a player you'd need every generated asset to be saved in the database with a unique ID of the player who generated it. Such as a piece of common copper. So if the player that generate that copper from the copper node was banned as a bot that piece of copper could be removed, regardless of who has it at the time of deletion. If that ore was used to make a weapon do you delete the weapon? This solution is more difficult to the Nth than other solutions to combat cheating. I'm not sure if that's exactly what you were getting at.

Do they not need to do that anyway in order to see which item is in which inventory? If every piece of Copper in the game was the same, then the second anybody sold one, it would sell all of them across the server.

So, if all pieces of Copper are separate, and if they already have their own unique ID, then you'd just simply add a couple of fields for the players that created/found/etc it and for the player that currently owns it.

Deleting items from players that currently own it is not a great idea.

If this is how enforcement starts happening, you watch people start up new accounts, farm specific materials, trade them to rivals and watch them get deleted, thus removing the wealth those rivals built up from the game.

If Intrepid remove the items and reimberse the player what they spent buying the materials, then this whole thing will be ineffective

There are many reasons we players don't know what systems developers use to combat exploiting and cheating. One of them is because then the exploiters and cheaters would know and would be able to circumvent them better, but another is because if we know them, we can use these systems the developers use to combat exploiting as exploits in their own right.

I'm not putting forward a better solution, I'm just saying this is not a good one - in part because it will become VERY obvious to people very quickly.

daveywavey

Noaani wrote: »

daveywavey wrote: »

Volgaris wrote: »

To track every asset generated by a player you'd need every generated asset to be saved in the database with a unique ID of the player who generated it. Such as a piece of common copper. So if the player that generate that copper from the copper node was banned as a bot that piece of copper could be removed, regardless of who has it at the time of deletion. If that ore was used to make a weapon do you delete the weapon? This solution is more difficult to the Nth than other solutions to combat cheating. I'm not sure if that's exactly what you were getting at.

Do they not need to do that anyway in order to see which item is in which inventory? If every piece of Copper in the game was the same, then the second anybody sold one, it would sell all of them across the server.

So, if all pieces of Copper are separate, and if they already have their own unique ID, then you'd just simply add a couple of fields for the players that created/found/etc it and for the player that currently owns it.

Deleting items from players that currently own it is not a great idea.

If this is how enforcement starts happening, you watch people start up new accounts, farm specific materials, trade them to rivals and watch them get deleted, thus removing the wealth those rivals built up from the game.

If Intrepid remove the items and reimberse the player what they spent buying the materials, then this whole thing will be ineffective

There are many reasons we players don't know what systems developers use to combat exploiting and cheating. One of them is because then the exploiters and cheaters would know and would be able to circumvent them better, but another is because if we know them, we can use these systems the developers use to combat exploiting as exploits in their own right.

I'm not putting forward a better solution, I'm just saying this is not a good one - in part because it will become VERY obvious to people very quickly.

Yeah, I dunno what the answer/solution to it is, I was just suggesting that the items already had a unique value since they're separate occurrences of the object type.

OrcLuck

There is a difference between your professional level gold farming exploiters...and people feeling like they have a license to go and break things because this is a test environment. No long term harm or foul.

That's why I think a soft first approach is better. You're also in a growth phase of the game, so being too punitive too quickly sets a negative tone.

You have to balance perception. That's why a soft first brush with "justice" is appropriate. It's not, that it wasn't disruptive, but it was low hanging fruit, and the company can do better to stop people. Letting people choose the easy way out by not addressing the easiest exploits...is going to open too many of your genuinely just goof balls...to getting out of the product environment.

Gamers have pushed the bar with these things, and that means there's a little tolerance for letting the first pass slide.

If people make the testing environment useless, it's better to do that in a few passes after you've marked and verified the offenses. Then ban them from the testing period if you have to go as harsh as possible until launch.

In terms of abusive behavior like harming other players directly, like Asmongold via system exploits, I believe harsh penalties straight out the gate are good.

Harming people vrs harming a test phase's utility, is a slightly different psychological state, that is worth harsh discipline.

Having a test environment with a test setup where disruption is likely, means you need to modify your measurement approach...because you can't avoid that. You can't test in a poor conditioned environment, and then shrug when your tests don't match the reality you're living in vrs what you would have preferred happened.

That's why I think the soft approach for one is different than another. Penalize behavior that is intolerable in any context, like harming other people's experience directly...and when you can clean up the economic environment use a new test, and then verify based off of what you might have learned after testing in the exploited environment.

Exploited money is still circulating in the economy, it just means your measure of certain factors has to adjust...it's not completely wasted time.

It's not like there is a correct answer here. So I trust Steven with his wealth of experience and his communication with experts...to try and adapt a reasonable approach.

Chuck Zitto

Im in the middle on this its alpha people are gonna use any advantage there is. Even If there were 0 exploits some people gonna play 20 hours a day and get way ahead of everybody. Now duping on the other hand if it was found out and abused insta ban for anyone involved.

Volgaris

daveywavey wrote: »

Volgaris wrote: »

To track every asset generated by a player you'd need every generated asset to be saved in the database with a unique ID of the player who generated it. Such as a piece of common copper. So if the player that generate that copper from the copper node was banned as a bot that piece of copper could be removed, regardless of who has it at the time of deletion. If that ore was used to make a weapon do you delete the weapon? This solution is more difficult to the Nth than other solutions to combat cheating. I'm not sure if that's exactly what you were getting at.

Do they not need to do that anyway in order to see which item is in which inventory? If every piece of Copper in the game was the same, then the second anybody sold one, it would sell all of them across the server.

So, if all pieces of Copper are separate, and if they already have their own unique ID, then you'd just simply add a couple of fields for the players that created/found/etc it and for the player that currently owns it.

I'm making some assumptions on how they made it. So take this with a pinch of salt. It's just an educated guess.
The copper your character has isn't unique. It's the same copper everyone has. When "deleted" it's just removed from you, or the relationship is cut. So when a copper is found it's just made from the same object/asset that they are all made from. This gets into OOP and relation databases. It would not be impossible to track each copper as a unique asset just a bigger database and more code. Maybe they did do this. I just highly doubt it.

A simplified example would be. If you find 5 common copper. That copper gets put in your inventory. All that happens is your inventory now lists the common copper in it with an amount. If delete one copper the amount in your inventory is just reduced. A copper isn't actually deleted from the world, because that copper is just a number while in your inventory. Lol might be better to youtube. It's hard from me to explain without pictures and I'm retired so I'm a bit rusty too. Hope this helps shed a little more light on it though.

Volgaris

@OrcLuck
I pretty much agree. I don't really care too much about the exploiting right now, as long as they are fixing it. It's actually good they are doing it so it can be fixed. The same thing with the griefers and broken mechanics. I just care about the integrity of the game, as it is now I don't see anything different they are doing vs what any other MMORPG has done. And we all know how those turn out.

Volgaris

Chuck Zitto wrote: »

Im in the middle on this its alpha people are gonna use any advantage there is. Even If there were 0 exploits some people gonna play 20 hours a day and get way ahead of everybody. Now duping on the other hand if it was found out and abused insta ban for anyone involved.

Big difference in no lifeing the game to get ahead and exploiting. An exploit like duping will kill the market and in a game like this probably the whole game. An exploit like killing wall glitched mobs, not really a big deal. At the end of the day we have know actions are being taken and what those punishments are. If exploiters are going to be allowed then the only way to compete is to exploit too, being a OWPvP game, it's competitive. A competitive MMORPG will require a huge time investment. If you put that work in, then an exploiter comes by and gets to where you are by cheating it invalidates all the work you've put in. If not handled properly this will cut player count. It's tough to do, but critical to success and may require drastic measures.

AirborneBerserker

I don't care how good a game this is, I'm not giving my SSN to a gaming company. Ever.

AirborneBerserker

Noaani wrote: »

Volgaris wrote: »

Noaani wrote: »

Volgaris wrote: »

Maybe this is the crux of the disagreement, you believe security doesn't work completely so it's not worth doing and/or these efforts will have no effect.

No, in regards to VPN's i believe some people have perfectly valid reasons for using them, and since they aren't going to do anything at all to stop serious offending, on balance, it isn't worth it.

If there were no valid reasons for using them, then there would be no harm in blocking them.

Detecting bot farms using a custom VPN is indeed quite difficult. That is why those companies do this

No need for a strawman argument... Give me an example of a company requiring valid ID to gain access to a service or product that failed because they required valid ID.

I uave a better idea - name a company that operates online and does what you say.

The reason I am flipping that around is because I can't think of a single company that actually uses identification services as a hard requirement. The only organizations thst do are government based.

Given the option I'd play on a server with verified players.

Intrepid have no way to verify who I am.

okay, cool cool cool

I'm going to assume this is just your way of trying to get out of answering the question of naming a company that uses the services you are talking about as a hard requirement - because you can't, because none do, because it is a bad idea, because those companies are not trustworthy and no legitimate company would want to partner with them.

To be fair most gaming companies use this, just not in America, or most other countries, But China forces you to ID yourself and limits your play time.

Which doesn't matter I'm still not giving my SSN to a gaming company.

Noaani

AirborneBerserker wrote: »

Noaani wrote: »

Volgaris wrote: »

Noaani wrote: »

Volgaris wrote: »

Maybe this is the crux of the disagreement, you believe security doesn't work completely so it's not worth doing and/or these efforts will have no effect.

No, in regards to VPN's i believe some people have perfectly valid reasons for using them, and since they aren't going to do anything at all to stop serious offending, on balance, it isn't worth it.

If there were no valid reasons for using them, then there would be no harm in blocking them.

Detecting bot farms using a custom VPN is indeed quite difficult. That is why those companies do this

No need for a strawman argument... Give me an example of a company requiring valid ID to gain access to a service or product that failed because they required valid ID.

I uave a better idea - name a company that operates online and does what you say.

The reason I am flipping that around is because I can't think of a single company that actually uses identification services as a hard requirement. The only organizations thst do are government based.

Given the option I'd play on a server with verified players.

Intrepid have no way to verify who I am.

okay, cool cool cool

I'm going to assume this is just your way of trying to get out of answering the question of naming a company that uses the services you are talking about as a hard requirement - because you can't, because none do, because it is a bad idea, because those companies are not trustworthy and no legitimate company would want to partner with them.

To be fairly most gaming companies use this, just not in America, or most other countries, But China forces you to ID yourself and limits your play time.

Which doesn't matter I'm still not giving my SSN to a gaming company.

Yeah, I've not looked in to exactly what is used in China, but they do have a government mandated system for online identification.

Your last sentence is exactly why I said about 70% of American MMO players would simply opt out of rhe game if this were a requirement. That is because 70% is the current estimate of people that spend a significant amount of time online that are also somewhat security conscious while online. Very few Americans would hand over their SSN to any company they wish to purchase a product or service from - because that isn't what they are supposed to be used for.

AirborneBerserker

Noaani wrote: »

AirborneBerserker wrote: »

Noaani wrote: »

Volgaris wrote: »

Noaani wrote: »

Volgaris wrote: »

Maybe this is the crux of the disagreement, you believe security doesn't work completely so it's not worth doing and/or these efforts will have no effect.

No, in regards to VPN's i believe some people have perfectly valid reasons for using them, and since they aren't going to do anything at all to stop serious offending, on balance, it isn't worth it.

If there were no valid reasons for using them, then there would be no harm in blocking them.

Detecting bot farms using a custom VPN is indeed quite difficult. That is why those companies do this

No need for a strawman argument... Give me an example of a company requiring valid ID to gain access to a service or product that failed because they required valid ID.

I have a better idea - name a company that operates online and does what you say.

The reason I am flipping that around is because I can't think of a single company that actually uses identification services as a hard requirement. The only organizations that do are government based.

Given the option I'd play on a server with verified players.

Intrepid have no way to verify who I am.

okay, cool cool cool

I'm going to assume this is just your way of trying to get out of answering the question of naming a company that uses the services you are talking about as a hard requirement - because you can't, because none do, because it is a bad idea, because those companies are not trustworthy and no legitimate company would want to partner with them.

To be fairly most gaming companies use this, just not in America, or most other countries, But China forces you to ID yourself and limits your play time.

Which doesn't matter I'm still not giving my SSN to a gaming company.

Yeah, I've not looked in to exactly what is used in China, but they do have a government mandated system for online identification.

Your last sentence is exactly why I said about 70% of American MMO players would simply opt out of rhe game if this were a requirement. That is because 70% is the current estimate of people that spend a significant amount of time online that are also somewhat security conscious while online. Very few Americans would hand over their SSN to any company they wish to purchase a product or service from - because that isn't what they are supposed to be used for.

At the end of the day it comes down to this, even if IS told me they had a 99.9999% secure system I still would not give them my DL (Drivers License), SSN, or any other personal ID information beyond my name and address.

Because I don't need another database out there with my personal so I can find out I'm trying to buy a Porsche on credit in Bangladesh.

Noaani

AirborneBerserker wrote: »

Noaani wrote: »

AirborneBerserker wrote: »

Noaani wrote: »

Volgaris wrote: »

Noaani wrote: »

Volgaris wrote: »

Maybe this is the crux of the disagreement, you believe security doesn't work completely so it's not worth doing and/or these efforts will have no effect.

No, in regards to VPN's i believe some people have perfectly valid reasons for using them, and since they aren't going to do anything at all to stop serious offending, on balance, it isn't worth it.

If there were no valid reasons for using them, then there would be no harm in blocking them.

Detecting bot farms using a custom VPN is indeed quite difficult. That is why those companies do this

No need for a strawman argument... Give me an example of a company requiring valid ID to gain access to a service or product that failed because they required valid ID.

I have a better idea - name a company that operates online and does what you say.

The reason I am flipping that around is because I can't think of a single company that actually uses identification services as a hard requirement. The only organizations that do are government based.

Given the option I'd play on a server with verified players.

Intrepid have no way to verify who I am.

okay, cool cool cool

I'm going to assume this is just your way of trying to get out of answering the question of naming a company that uses the services you are talking about as a hard requirement - because you can't, because none do, because it is a bad idea, because those companies are not trustworthy and no legitimate company would want to partner with them.

To be fairly most gaming companies use this, just not in America, or most other countries, But China forces you to ID yourself and limits your play time.

Which doesn't matter I'm still not giving my SSN to a gaming company.

Yeah, I've not looked in to exactly what is used in China, but they do have a government mandated system for online identification.

Your last sentence is exactly why I said about 70% of American MMO players would simply opt out of rhe game if this were a requirement. That is because 70% is the current estimate of people that spend a significant amount of time online that are also somewhat security conscious while online. Very few Americans would hand over their SSN to any company they wish to purchase a product or service from - because that isn't what they are supposed to be used for.

At the end of the day it comes down to this, even if IS told me they had a 99.9999% secure system I still would not give them my DL (Drivers License), SSN, or any other personal ID information beyond my name and address.

Because I don't need another database out there with my personal so I can find out I'm trying to buy a Porsche on credit in Bangladesh.

Indeed.

You are - as far as I can tell - very much in the majority with this.

Falkath

Korean level of security with ID to play doesn't work, you can just buy Korean accounts for dirt cheap, and their servers are restricted to a way smaller population than NA and EU, so in the end, it would be even easier to bypass this security measure. Even more, not every country have laws permitting this level of security, remember USA isn't the center of the world and each countries got their own set of laws.

OrcLuck

I would be willing to verify my account credentials AFTER a punitive action is taken, but not before. I would only be willing to show my drivers I.D. with some form of redacted information for codes and such that might be searchable.

If one of the harsh penalties is account loss if you cannot verify identity (So that you can then be part of an accountability program), I'm fine with that relatively larger escalation in terms of identifiable information spreading.

Volgaris

AirborneBerserker wrote: »

I don't care how good a game this is, I'm not giving my SSN to a gaming company. Ever.

It wouldn't be giving your SSN. It'd be verifying your identity with a third party. It's actually very common to do.

Child Item