SoE should invite hackers to break the game

[Pella]

Originally Posted by TheInferno

If I had a legitimate business as white hat hackers? C. I'll make more money with a good reputation and multiple jobs, and, this is just me, but I like playing games, and I hate it when people hack them and ruin it for everyone else.

The point is, though, if they do hire hackers, they shouldn't be picking people up off the street to do it. They would need to go to a big security organization with a good reputation who's done work for big companies before (such as banks, Fortune 500 corporations, and governments, aka people who they can steal a lot more from) with no problems.

Besides, it's not like they don't get paid well.

I am sure sure SOE employ people of this caliber already. As financial insurance if shit hits the fan like it did with Sony.

And in all fairness you look at all of SOEs MMO's and you wont find hacks. Other than planetside which we have to admit is ancient.

[The Degenatron]

You don't have to invite them, they'll come all by themselves.

The question is: Will the mods swing a Ten-Ton Ban Hammer fast and often enough to put a dent in their numbers.

What I wish for is a suit of ban options to be leveled on cheaters all at once:
Account Ban
IP Ban
MAC Ban
OS S/N Ban
Video S/N Ban
CPU S/N Ban
ISP Router Ban (when applicable)

By locking out multiple identifiers at once - the mods have a better chance at frustrating hackers and forcing them to jump though many hoops if they want to attack our game again.

I hope the Mods have the courage to ruthlessly ban on sight, without warning, and without appeal and lose what SOE will (mistakenly) consider a revenue source.

[Pella]

To be honest people that tend to hack wont pay for anything. Thats was even stated in APB quote in this thread someplace.

So banning will come thick and fast im sure. As there not loosing money.

[Timealude]

Originally Posted by NewSith

No decent hacker would sacrifice his profit. Those who did, though, are not in lines of the current source code.

thats not actually true i dont want to bring up non planetside things but look at the leader of anonymous. anyways i think it would be a good idea to hire hackers for temp job showing the anti hacking team what exploits are available. We also dont know a whole lot about the actually team itself for all we know they could be ex hackers hired to do it

[Biscuit]

This reminds me of the story of the Scorpion and the Frog

[TheInferno]

Originally Posted by Pella

I am sure sure SOE employ people of this caliber already. As financial insurance if shit hits the fan like it did with Sony.

And in all fairness you look at all of SOEs MMO's and you wont find hacks. Other than planetside which we have to admit is ancient.

Oh, I'm not saying they need to, I'm just saying it's a legitimate option.

Originally Posted by Biscuit

This reminds me of the story of the Scorpion and the Frog

That's really insulting. Network security guys do have ethical codes about things, report any breaches, never mess with the clients data, etc. Like I said, we aren't talking about people who just hack for fun and lulz, we're talking about professionals.

[Trafalgar]

A few people seem to be making some very broad generalizations and assuming that everyone that could be classified as a "hacker" is a "black hat hacker" and is somehow going to be trying to make money by hacking PS2 (Doesn't seem likely, I mean, they'd have to hack the website and upload a trojaned version of the game or something as a new patch, and it would probably get spotted by AV software unless they used something they wrote from scratch, or a rootkit against an AV software that can't detect it trying to install, and one hopes that the folks running the website hosting the patches, game installers, etc, are paying attention to keeping it secure nowadays), and that no "hackers" would ever pay for anything (ludicrous).

Are you assuming that there are no "white hat hackers?" Although they may be looking for exploits, their purpose in doing so is not to use them for any kind of advantage but to report them in a sufficiently detailed report such that they can be corrected, to improve the game. Personally, if I find an exploit in the beta, I would report it. I want the game to be as exploit-free as possible (and I mean exploits, not balance issues), because I want to play a fair game, which means it's obviously in my best interests and the best interests of anyone else thinking the same thoughts to report all exploits that I or they find.

Of course, getting enough detail to make a really good report may require a fair amount of testing, e.g. to determine what is actually going on and make sure you're not going to submit an incorrect report blaming the wrong thing for the issue, how to reliably reproduce it, etc, whether we're talking about normal bugs or something exploitable.

Also, the kind of hacks that you hear about on the news are different from exploits in games, which tend to be along the lines of flaws in game logic allowing you to do something you aren't supposed to be able to do, such as (random example) bypassing ability cooldowns by doing something which happens to reset the cooldowns to 0 which really shouldn't be doing so, or glitching through walls using vehicles, or any number of other things. On the more complicated and effort-requiring end, investigating the messages between the client and server (a lot of effort without source, so probably not worth it if the devs have their own team) to see if it would be possible to exploit anything there, such as making guns say they hit all the time if the hit detection is client-side, or attempting to tell the server that you've pulled off an impossible maneuver / acceleration / deceleration to see if it validates the client's input properly (rejecting invalid input, or constraining input to valid values). It isn't impossible for someone without source access to test things that would require modifying the client or understanding and possibly modifying the datastream between client and server, it's just more difficult and requires a ton of effort (usually).

[maradine]

Originally Posted by Pella

I am sure sure SOE employ people of this caliber already. As financial insurance if shit hits the fan like it did with Sony.

This is not likely the case. Professional whitebox and blackbox testers are frequently too expensive to retain permanently due to general demand. This is doubly so in the games industry, where salaries are already depressed due to supply. AppSec tends to get brought in for contract SDLC work, as a gate for promotion of code bases to production status, as a contractual requirement with a third party, or not at all.

[Nephilimuk]

I would have thought the product would have gone through extensive and vigorous penetration testing before released into beta. This must be true after last years fun and us losing our personal details. A repeat incident would be lethal to SOE's reputation and Sony's stock.

[indirect]

Originally Posted by Vetto

One should not ever Encourage hackers, but deal with them when found. Hackers are not in it to help a company, there in it for the Lulz, or to ruin a game.

You have no idea what you're talking about. Hackers are hired by multi BILLION dollar companies to crack their software. See; Microsoft, Apple, Mozilla, etc.

Please don't pretend to know what you're talking about.

[maradine]

Originally Posted by Nephilimuk

I would have thought the product would have gone through extensive and vigorous penetration testing before released into beta. This must be true after last years fun and us losing our personal details. A repeat incident would be lethal to SOE's reputation and Sony's stock.

It probably did. They probably caught a big pile of low hanging fruit, and probably found a number of risks that the business will accept. Even with full source access and documentation, there is no penetration testing regimen sufficient to simulate your code being out in the wild over the lifespan of the product. Too much time, too many actors, and you're on a budget.

[Mepper]

I will defenitely try to find glitches, and hack the game in any possible way. Whenever I find something I'll just tell the devs how I did it, and how it could be prevented. And I won't ask any money.

[Nephilimuk]

It probably did. They probably caught a big pile of low hanging fruit, and probably found a number of risks that the business will accept. Even with full source access and documentation, there is no penetration testing regimen sufficient to simulate your code being out in the wild over the lifespan of the product. Too much time, too many actors, and you're on a budget.

I agree once the product has gone live your in reactive patch and test mode. But at the point of release you should have closed down all the common exploits and the obvious exotic.

Free to play or not your still dealing with personal information, which is a commodity, so due diligence at least is expected.

[maradine]

Originally Posted by Nephilimuk

Free to play or not your still dealing with personal information, which is a commodity, so due diligence at least is expected.

And we have no reason to believe it hasn't been applied.

[GuyShep]

Originally Posted by Pella

To be honest people that tend to hack wont pay for anything. Thats was even stated in APB quote in this thread someplace.

So banning will come thick and fast im sure. As there not loosing money.

Actually, it was the exact opposite that was said. G1 and the APB devs were a bit dumbstruck that a good number of hackers spent money on the cash shop, since hackers get banned in waves instead of the moment they get detected, and there's some considerable amount of time between waves.