To GGG: Why I think your OBT intentions are detrimental to the game's future

I haven't read the entire post, but I wanted to comment on something. Lots of talk about hackers and how GGG plans to deal with them/their consequences. Chris has publicly stated that he is fine with anyone trying to hack the crap out of the game - so long as they tell GGG about it.

I bring this up due to:

"Unless the GGG staff has more CEH certifications (or similar qualifications) than I'd imagine, they really don't have the expertise to be doing this in-house. So from their perspective, their options are:
* Accept help from the PoE beta testing community, which would mean something similar to OP's original suggestion (with modifications)
* Hire specific individual(s) with a hacking background to the GGG staff to come in-person for in-house penetration testing (perhaps on a volunteer basis to save money)
* Essentially do nothing."

"

ScrotieMcB wrote:

I am a soldier in the United States Army. I've deployed. I've been shot at. And I think "war" is a perfectly fine figure of speech to use. When it comes to dealing with bots, you either have a conflict over resources with real consequences on people's lives (a war) or you put up no resistance (an invasion then a surrender).

I'd like to agree with you that no one would die, but the ugly truth is that some people with serious gaming addictions do get suicidal over things like this. Pathetic, truly.

Your background in the military does not really give you any kind of authority to say how quoting Sun Tzu should or should not apply.

Example:

Sun Tzu also says:

"

18. All Warfare is based on deception.
19. Hence, when we are able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.
20. Hold out baits to entice the enemy. Feign disorder and crush him.
Sun Tzu - The Art of War - Chapter 1, verses 18 through 20

So does this mean that if we are approaching this whole issue with the mindset of Sun Tzu we should be actively deceiving GGG and that our end goal should be to "crush" them?

See that is the thing about bringing in these philosophical works, you cannot just take part of it and apply it to your line of reasoning, you take all of it. It's either or.

It is not a war on bots, yes, there is an ongoing effort to detect and reduce the number of bots (or, if you're Blizzard then you just make RMAH and make them make money for you).
This does not make it a "war". I can see that you are probably American, you guys like to declare war on things that cannot fight back.
Yes, there is a certain degree of antagonism between makers of bots and people who run these sorts of games. But calling it a "war" is making it waaaaay to dramatic.

To put a bit of a point on it, bot herders are a bit like a disease on these games, what is essentially a cold or a case of influenza.
Would you say that when your body's immune system is fighting the viruses and bacteria that make you sick, it is fighting a "war" on those germs?

"

ScrotieMcB wrote:

Unless the GGG staff has more CEH certifications (or similar qualifications) than I'd imagine, they really don't have the expertise to be doing this in-house. So from their perspective, their options are:
* Accept help from the PoE beta testing community, which would mean something similar to OP's original suggestion (with modifications)
* Hire specific individual(s) with a hacking background to the GGG staff to come in-person for in-house penetration testing (perhaps on a volunteer basis to save money)
* Essentially do nothing.

I think your suggestion leans far more towards #3. Simply shrugging off the problem by saying "GGG can do it in-house" reveals far more of a hatred for all hackers, regardless of ethics or intent, than it does taking the problem seriously and trying to find a real, comprehensive solution. I'd believe you were more genuine in your desire to help if, reaffirming your belief that the general beta-test population should not be allowed to attempt to hack PoE, instead drew_benton should try being a part of the in-house solution (even if he does seem to quote Sun Tzu too often).

Please go back and read what I wrote, I'll wait here.
Ok, did you go back and read what I wrote?
I assume you didn't so let me make it clear. I said that security testing should be done in the alpha test or in an in-house fashion (preferably both).
I go on to talk about how the point of the beta test is to test the game as a whole, that is the whole "package".
As I am sure you are aware, security is one of those sorts of things that require a degree of secrecy, thus any security testing and discussion of security related issues should at least be done by a group of testers who are under some form of restrictive NDA.

I never said that GGG should do it all alone, my point was always that the beta test we are currently part of is not the optimal place for security testing, there are too many players and there is too great a risk something will leak out into the wild. Security testing should be done in a way that allows GGG more control over the information, and also in a way that allows GGG to feed internal, technical data to the testers (basically stuff that could be considered a "trade secret").

"

ScrotieMcB wrote:

How do you expect people to actually test for holes in security if there is no hope of reward and a fear of reprisal? Granted, penetration testing should ALWAYS be done with EXPLICIT permission of the client, so drew_benton posting this here is by no means enough to get him exemption from the rules; as things stand now, he should expect a ban if he exploits the game. However, we should be encouraging interested people like drew to apply for that permission and recommend that GGG give their permission. You told drew "no;" you should have told him "not yet."

Again please go back and read my post. What I said was that he should not expect to be thanked for testing, not any more than us non-technical testers should. I then went on to say that he should not expect immunity from punishment if he was found to have been using his hacks for malicious purposes, i.e breaking the rules.

"

ScrotieMcB wrote:

Well I don't think he should be revered; thanking him is more appropriate. Letting us know about some of the currently available hacks helps the situation. An admonishment for exploiting without obtaining permission first might also be in order, but you seem totally blind to the principle behind that.

Go back and read his original post please. He says specifically that he thinks that people who have hacked the game and used their hacks to gain an unfair advantage should be given special items and whatnot. He should not expect this.

"

ScrotieMcB wrote:

See, the WCO did make efforts to test for blood doping. And they did catch people... pretty much everyone, eventually. Of course Lance Armstrong being disgraced is a big news story, but if you look into it virtually everyone in all of those races has, at one time or another, been suspended for blood doping. In one Tour de France, if you disqualified everyone who had been caught blood doping at one time or another, first through seventh place would have been DQ'd!

Given the benefits of blood doping, the WCO did not have strict enough enforcement to properly disincentivize their players from using it. Given the benefits of botting, a very strict, comprehensive security plan needs to be in place to properly disincentivize botters from botting. This includes active testing by white-hats trying to discover exploits so they can report them to developers.

Guh...I knew I should not have used the cycling example.

Ok, so check it, I used cycling as a purely arbitrary example. My point was this, we play games like this (or sports or whatever) to challenge ourselves, that challenge comes from succeeding at that game within the constraints imposed by the rules (in cycling, you are not supposed to dope yourself, it is supposed to be a test of ultimate human endurance and performance).
If you start hacking the game to circumvent the constraints imposed by the rules, you are no longer playing the game, you're just dicking around.

Rules and laws are by their very nature arbitrary, there is nothing in nature that prevents me from throwing a brick through my neighbors window, murdering him with a hammer and then stealing his TV. The laws of physics allow me to do those things, the universe does not care that I do those things, hell most people will not care I did those things.
However, as it happens society decided that it's not very practical to have everyone going around throwing bricks through each others windows and subsequently murdering and robbing each other. So they imposed an arbitrary rule that said "please don't do those things or we'll do bad things to you".

That example was a little sensational, I agree, again it was to make a point. Along the same lines, I don't know the rules of American Football, but provided they let me and twelve (or however many players there is on the field at a given time) of my homies show up to the Superbowl game with assault rifles, we could win the game.
However they do not allow me and my friends to win the Superbowl by using assault rifles, so I guess if I want one of those fancy rings I'll have to train a lot and actually learn the rules of the game.

I've been playing alot of online games, in some of them "unfair" actions form hackers and botters were an issue. HOWEVERit wasnt that its so hard to track someone gaining unfair advantage over other players, its the fact developers did not care to do it.

As for hacking itself its usually effect of hacked player, trying to get one of illegal tools/ money rather than games security itself.

If there is will to properly punish for doing something prohibited its not hard to do it.

It cant be hard to track down items with weird properties.
Its not hard to check player that is reported by other players for suspicious behaviour.

Any sort of actions that are damaging other players experience is usualy vocaly reported, and can be investigated/ punished.
Thing is companies simply dont do it.

Off topic but -

"See that is the thing about bringing in these philosophical works, you cannot just take part of it and apply it to your line of reasoning, you take all of it. It's either or."

That is not true, or at least I do not think it is. Philosophy is not religion, which is why you most certainly can pick and choose. It's how the picking and choosing is done that determines it's validity or lack there of. I can agree with an Aristotelian explanation of causation without also adopting Aristotelian conceptions regarding the superiority of a particular sex - as an example.

You obviously cannot pick certain premises out of a larger argument, discard the ones that you don't like, and keep the conclusion. But that isn't what was being done.

"

drew_benton wrote:

The end be all question is simple though: it it acceptable to you for a game to be unable to stop people from getting an advantage over those who do what is intended?

If you are content with a yes answer, with no exceptions, then we just have fundamentally different views, so that's all there is to it really.

This question in irrelevant as its entirely based on the false presumption that a hack proof game can be made. You act as if there is a choice here. Theres not. Your logic here is fundamentally flawed because the entire premise it i based upon is not realistic. I understand your argument but it has no place in the real world and this philosophy of allowing rampant cheating in OB would destroy the game.

One must be careful.
Invoking 'The Art of War'
designates a foe.

This is not welcome:
beta testers who treat devs
as the enemy.

What we call 'exploit'
The devs might view as 'feature.'
Please keep this in mind.

"

Wittgenstein wrote:

Chris has publicly stated that he is fine with anyone trying to hack the crap out of the game - so long as they tell GGG about it.

In that case, drew, go ahead and hack the crap out of the game. Be sure to tell GGG about it after.

"

f3rret wrote:

"

ScrotieMcB wrote:

I am a soldier in the United States Army. I've deployed. I've been shot at. And I think "war" is a perfectly fine figure of speech to use. When it comes to dealing with bots, you either have a conflict over resources with real consequences on people's lives (a war) or you put up no resistance (an invasion then a surrender).

I'd like to agree with you that no one would die, but the ugly truth is that some people with serious gaming addictions do get suicidal over things like this. Pathetic, truly.

Your background in the military does not really give you any kind of authority to say how quoting Sun Tzu should or should not apply.

The topic was whether the word "war" applied. I think I'm more qualified than you there.

"

f3rret wrote:

Sun Tzu also says:

"

18. All Warfare is based on deception.
19. Hence, when we are able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.
20. Hold out baits to entice the enemy. Feign disorder and crush him.
Sun Tzu - The Art of War - Chapter 1, verses 18 through 20

So does this mean that if we are approaching this whole issue with the mindset of Sun Tzu we should be actively deceiving GGG and that our end goal should be to "crush" them?

See that is the thing about bringing in these philosophical works, you cannot just take part of it and apply it to your line of reasoning, you take all of it. It's either or.

So biblical literalism is the only true Christianity, and "liberal" Christians are posers.

Or... maybe a book on an extremely board topic, such as war, covers many different situations, with some parts of the book not applicable to every situation.

I need to admit, the part that drew quoted seemed out of place to me. The "ultimate excellence" described there simply isn't realistic — preventing bots from influencing PoE is not going to be something we can belt out in the next two weeks and then sit contented for years. [edit: It's been a long time since I've read the Art of War, but if I remember correctly there were entire sections on the importance of espionage — that is, having someone sympathetic on the opponent's team who's feeding you information. Seems like that would have been far more quoteworthy.] However, railing against his opinion mostly because you disagree with his quotation of Sun Tzu is affectation at best and sophistry at worst.

"

f3rret wrote:

This does not make it a "war". I can see that you are probably American, you guys like to declare war on things that cannot fight back.

No, if we wanted to do that we'd declare war on the French.

"

f3rret wrote:

Would you say that when your body's immune system is fighting the viruses and bacteria that make you sick, it is fighting a "war" on those germs?

Quoted for irony, emphasis added. Answer: unless it's a truly chronic illness, it's just a battle.

"

f3rret wrote:

Please go back and read what I wrote, I'll wait here.
Ok, did you go back and read what I wrote?
I assume you didn't so let me make it clear. I said that security testing should be done in the alpha test or in an in-house fashion (preferably both).
I go on to talk about how the point of the beta test is to test the game as a whole, that is the whole "package".
As I am sure you are aware, security is one of those sorts of things that require a degree of secrecy, thus any security testing and discussion of security related issues should at least be done by a group of testers who are under some form of restrictive NDA.

I did read it. BUT I didn't look up the meaning of "alpha test," I just sort of guessed what it was. I looked it up just now, and guess what? I was right.

Alpha testing against bots is, bar none, one of the dumbest ideas I've ever heard. A huge part of the network security process has to deal with angles of attack, and you simply won't get many from within the confines of the GGG offices. Additionally, the game goes through pretty significant changes throughout beta, which in turn greatly changes the attack surface. Wrong type of attack, against a target that won't exist in the future — that type of test means nothing.

The NDA agreement idea thing isn't bad though; it's a reasonable prerequisite for that whole permission thing I was talking about earlier. Kind of a moot point, considering Chris said it's open season as long as you let him know, but I'd do NDAs if I was in charge.

"

f3rret wrote:

I never said that GGG should do it all alone, my point was always that the beta test we are currently part of is not the optimal place for security testing, there are too many players and there is too great a risk something will leak out into the wild. Security testing should be done in a way that allows GGG more control over the information, and also in a way that allows GGG to feed internal, technical data to the testers (basically stuff that could be considered a "trade secret").

This is a small independent company that asks people to donate money in exchange for closed beta keys. Beta testers are a resource that is free and abnormally dedicated. In terms of possible collateral damage (hey, another war term!), the number of players will only increase over time (especially once OBT is officially closed for hard launch). GGG would be daft not to use this community's enthusiasm to their advantage.

"

f3rret wrote:

"

ScrotieMcB wrote:

How do you expect people to actually test for holes in security if there is no hope of reward and a fear of reprisal? Granted, penetration testing should ALWAYS be done with EXPLICIT permission of the client, so drew_benton posting this here is by no means enough to get him exemption from the rules; as things stand now, he should expect a ban if he exploits the game. However, we should be encouraging interested people like drew to apply for that permission and recommend that GGG give their permission. You told drew "no;" you should have told him "not yet."

Again please go back and read my post. What I said was that he should not expect to be thanked for testing, not any more than us non-technical testers should. I then went on to say that he should not expect immunity from punishment if he was found to have been using his hacks for malicious purposes, i.e breaking the rules.

"

ScrotieMcB wrote:

Well I don't think he should be revered; thanking him is more appropriate. Letting us know about some of the currently available hacks helps the situation. An admonishment for exploiting without obtaining permission first might also be in order, but you seem totally blind to the principle behind that.

Go back and read his original post please. He says specifically that he thinks that people who have hacked the game and used their hacks to gain an unfair advantage should be given special items and whatnot. He should not expect this.

There's a world of difference between breaking the rules and having malicious intent. Nevertheless, this is still a far more reasonable outlook that displayed in, say, your post I quoted.

"

f3rret wrote:

Rules and laws are by their very nature arbitrary, there is nothing in nature that prevents me from throwing a brick through my neighbors window, murdering him with a hammer and then stealing his TV. The laws of physics allow me to do those things, the universe does not care that I do those things, hell most people will not care I did those things.
However, as it happens society decided that it's not very practical to have everyone going around throwing bricks through each others windows and subsequently murdering and robbing each other. So they imposed an arbitrary rule that said "please don't do those things or we'll do bad things to you".

In this little microcosm, we are society and GGG is the government. I think it might be very practical, under certain circumstances which should be regulated, for people to be hacking PoE to the utmost of their ability. And to expect to be rewarded, even if only with kudos.

I see you're a very law-and-order person. Those types and white-hats rarely get along.

"

ScrotieMcB wrote:

The topic was whether the word "war" applied. I think I'm more qualified than you there.

How exactly do you know this? I also used to be a soldier and if some bureaucratic idiocy clears up I'll hopefully be again soon.
On top of this I do know several people who're deployed in Afghanistan right now and several more who have been down there.

"

ScrotieMcB wrote:

So biblical literalism is the only true Christianity, and "liberal" Christians are posers.

Or... maybe a book on an extremely board topic, such as war, covers many different situations, with some parts of the book not applicable to every situation.

Well no not quite, the whole point of the Art of War was General Sun Tzu writing a guide to the generals who'd come after him on how to fight a way. Sun Tzu never meant to write a guide on how to live your life in general or how to conduct business.
Applying the lessons taught in the Art of War on how to effectively help a company security test their game is like trying to apply the lessons of the bible to differential algebra.

"

ScrotieMcB wrote:

I need to admit, the part that drew quoted seemed out of place to me. The "ultimate excellence" described there simply isn't realistic — preventing bots from influencing PoE is not going to be something we can belt out in the next two weeks and then sit contented for years.

Well bots and the sorts of cheats OP described are two different things, bots aren't so much a 'hack', I mean it's still blatantly cheating, but it's not really hack.
There isn't really any big voyage of discovery you can do by programming bots, and most certainly not one that should be in any way rewarded.

Now, if the OP has made map hacks, brightness and zoom hack like he claims, then yeah. Send them to GGG, maybe in conjunction with a job application.
He should not expect to be rewarded with a special in-game item though.

"

ScrotieMcB wrote:

[edit: It's been a long time since I've read the Art of War, but if I remember correctly there were entire sections on the importance of espionage — that is, having someone sympathetic on the opponent's team who's feeding you information. Seems like that would have been far more quoteworthy.] However, railing against his opinion mostly because you disagree with his quotation of Sun Tzu is affectation at best and sophistry at worst.

I admit this is true. Though as it happens only reason I'm debating it now, is because you are ,and I do like an interesting (if admittedly pointless by now) debate.

"

ScrotieMcB wrote:

No, if we wanted to do that we'd declare war on the French.

I see what you did there, but really, let's not get into a discussing about how that just isn't true.

"

ScrotieMcB wrote:

"

f3rret wrote:

Would you say that when your body's immune system is fighting the viruses and bacteria that make you sick, it is fighting a "war" on those germs?

Quoted for irony, emphasis added. Answer: unless it's a truly chronic illness, it's just a battle.

Again, I see what you did there, but it is not as clever as you thought it was.
I flatly refuse to get into a semantic argument here, though let me say this you can 'fight' without it being a 'war'. I would not describe a drunken brawl in a bar as a 'bar war', would I?

"

ScrotieMcB wrote:

I did read it. BUT I didn't look up the meaning of "alpha test," I just sort of guessed what it was. I looked it up just now, and guess what? I was right.

Alpha testing against bots is, bar none, one of the dumbest ideas I've ever heard. A huge part of the network security process has to deal with angles of attack, and you simply won't get many from within the confines of the GGG offices. Additionally, the game goes through pretty significant changes throughout beta, which in turn greatly changes the attack surface. Wrong type of attack, against a target that won't exist in the future — that type of test means nothing.

The NDA agreement idea thing isn't bad though; it's a reasonable prerequisite for that whole permission thing I was talking about earlier. Kind of a moot point, considering Chris said it's open season as long as you let him know, but I'd do NDAs if I was in charge.

Against bots, sure. It'd be much better to buy one of the commercial solutions I'm sure are available by now.

That said, I am not sure if you are aware, but GGG are conducting two different tests now the alpha and the beta. Alpha testers are (an actual alpha tester can correct me here if needed) under a much more restrictive NDA and I imagine the testing is much more 'hardcore' and technical.

It just makes more sense to have security testing (finding exploits against the game itself, maphacks etc) done by a team under a highly restrictive NDA so you have more legal recourse if it does end up leaking out from the alpha test.
Testing against bots is a more tricky matter, you can only really do it if you've got access to server logs and the server software, which none of us do and probably never well.

"

ScrotieMcB wrote:

This is a small independent company that asks people to donate money in exchange for closed beta keys. Beta testers are a resource that is free and abnormally dedicated. In terms of possible collateral damage (hey, another war term!), the number of players will only increase over time (especially once OBT is officially closed for hard launch). GGG would be daft not to use this community's enthusiasm to their advantage.

Again an actual alpha tester will have to correct me here, but I do think the current alpha test consists of at least between 50 - 100 people, that is more than enough people to effectively test for exploits against the client and from what I hear elsewhere in this thread, some of them already are doing this.
There is no need for that sort of testing to happen extensively in the Open Beta, it is just going to end up leaking and propagating out to people who wont be using it to test.

"

ScrotieMcB wrote:

How do you expect people to actually test for holes in security if there is no hope of reward and a fear of reprisal? Granted, penetration testing should ALWAYS be done with EXPLICIT permission of the client, so drew_benton posting this here is by no means enough to get him exemption from the rules; as things stand now, he should expect a ban if he exploits the game. However, we should be encouraging interested people like drew to apply for that permission and recommend that GGG give their permission. You told drew "no;" you should have told him "not yet."

No, I told him that in his specific examples about how the game should have these 'features' built in (two two examples from the leagues) he was wrong, and he should not be allowed to use his zoom and brightness hacks to gain a competitive advantage. It is a real possibility that that is not what I said, but it is what I meant.

"

ScrotieMcB wrote:

Well I don't think he should be revered; thanking him is more appropriate. Letting us know about some of the currently available hacks helps the situation. An admonishment for exploiting without obtaining permission first might also be in order, but you seem totally blind to the principle behind that.

and

"

ScrotieMcB wrote:

There's a world of difference between breaking the rules and having malicious intent. Nevertheless, this is still a far more reasonable outlook that displayed in, say, your post I quoted.

I am not blind to the fact that in beta test and in alpha test and hell even when it goes live, testing like this should be tolerated. That is not what I am saying, my argument was always that as OP seemed to see it, these sorts of hacks should be tolerated or the game should be redesigned in impossible ways to give everyone the same advantage.
His logic seemed to be that because he could maphack, he should be allowed to, and that furthermore everyone else should be allowed to as well. On top of this he seemed to indicate that this should be tolerated as long as the game allowed for it, so basically forever because it's impossible to not allow a maphack for someone persistent enough.

"

ScrotieMcB wrote:

In this little microcosm, we are society and GGG is the government. I think it might be very practical, under certain circumstances which should be regulated, for people to be hacking PoE to the utmost of their ability. And to expect to be rewarded, even if only with kudos.

No argument there, it does sound like we sort of agree but use different words to describe it.

"

ScrotieMcB wrote:

I see you're a very law-and-order person. Those types and white-hats rarely get along.

I'm really not, I'm a 'fairness' kinda person. I dislike people who cheat at these sorts of games. I mean, yes it is possible to cheat. But we all agrees to not do so, so we should not be cheating.
I rather like white-hats, grey and black-hats too, they tend to be interesting people.

Quite simple: don't try to cheat. GGG has the ability to monitor their work, you think they'd be foolish enough not to? Unless you work for them, you shouldn't be trying to "push the envelope" unless you are willing to lose your accounts.

It's people like you that ruin online games, damn lazy fools that are always looking for an edge over someone else by cheating.

You're making it sound as ban is the only reply one would get for mailing a self-discovered exploit to GGG in hopes of it being patched, which is imo hardly the case with them.