Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
Modders, Hackers, Scripters, and Security...
GrayGhost79
Member UncommonPosts: 4,775
For me I like less chance for players to mess with things. In a PvP centric game especially, the less scripts, mods, hacks, and macros the better in my personal opinion. CU developers seem to have a different stance....
http://camelotunchained.com/en/making-a-game-out-of-the-web/
Am I the only one that sees the disaster that can come from this? This seems like the most unsecure setup an MMO has ever attempted. Its like leaving your door wide open with a sign saying "take and do what you want, we won't be home for a month!".
Does anyone have anything that can put my mind at ease a bit? The level of accessibility, scripting, and modification they are talking about allowing seems excessive.
After reading the whole thing and even the technical notes I know some nasty things I can do right from the word go and I'm not that skilled or nefarious.
Comments
Killing dragons is my shit
No, they are talking a great deal more access and modifications than EQ and WoW. They even gave this little disclaimer at the end...
"Don’t destroy the server; it’s where you keep your stuff."
What is directly reported to the client from the server during gameplay is to be under heavy security.
The UI and other information that players can use for making websites and tools will be web based so that area is entirely open to players but has nothing to do with security during gameplay.
You stay sassy!
Too soon to tell bub, please don't start more threads of doom n gloom until we got hands on. Thats my expert advice for free.
They are taking those concerns seriously. They arent putting actual internal game functions in the hands of the players.
How much health your character has isnt going to be in HTML. Maybe you could make it look like you had more on your end, but it would just be an illusion that only you could see, it wouldnt have an effect on anything server side.
Some level of UI modding exist in pretty much all popular MMO's. That is what they are talking about. This just makes it much more open and easier to learn how to mod the UI yourself.
Sorry, this is something that concerns me with a PvP only game. If players weren't being asked to fund the game prior to a hands on your expert advice might have been good.
More explanation is needed for me from MJ.
I really don't think they are talking about more than just UI and Custom Macro buttons, which like I said are all in games like Everquest 2 and WoW already. Hell, you can even program keyboards to do most of this stuff now too.
I understand what you're saying and the concern, but I don't think that it will be an issue. There's a very few things that you can hack in an MMO. Usually it's run speed and botting. Only because run speed is user side, usually.
Killing dragons is my shit
Edit: You can read the whole thread but Andrew starts at #33
http://www.mmorpg.com/gamelist.cfm/game/926/view/forums/thread/381408/page/4
"First, dont expect to make XMLHttpRequests directly from your own JavaScript if you want to run within the game. We plan to implement a lightweight JavaScript library to act as an intermediary. When running standalone on the web, this library will still speak AJAX and WebSockets...
On the other hand, when your (or our) code is running in the game and using that library, for performance reasons some calls will be redirected into the client rather than actually making an HTTP request. Well encourage and very likely enforce that everyone use that library rather than going directly to our server. That will ensure UI mods can be as responsive as possible by using data the client has already cached locally, while still preserving the ability to work standalone."
He is mostly talking about speed.. but this gives you an idea how it will be networked into the system to prevent hacks/mods/DOS/etc...
"Access to characters? Statistics for your realm? The state of the war and frontiers? All there."
"Have you ever wanted access to your guild chat from someplace other than a full-on game client? It’ll be right there at www.camelot-unchained.com/guildchat (link doesn’t work…yet)."
"But as a general rule, your entire in-game social life and much of your economic life will be accessible from anywhere, in any modern web browser, without plugins, in exactly the same form as when you’re running our big shiny standalone 3D desktop client."
"Our web API is our first and foremost API. That means that anything you can access in-game, you can access and display on your own website, running your own code."
I mean besides things like auto heals, buff bots, and etc. this just opens the game up to much outside of the game in my opinion.
I don't know, maybe I'm reading to much into this but even things like DDOS'ing someones guild chat seem possible with something like this. If realm chat is accessible offline what happens when one realm makes a move on another and decides to DDOS their chat?
I checked, and no he didn't answer any of my questions. He goes on about how the performance will be and that the whole game isn't written in HTML and Java. He doesn't talk about potential security risks, DDOS attacks on the chat servers, auto heal scripts, buff bots, DDOS attacks on the game servers since we can access them to some degree while out of game, security of those servers from the more skilled "hackers" and such that have done a great deal of damage over the years to games that have had extreme security measures and limited access a great deal more than CU seems like it will.
From the Technical Notes:
"There is a strong possibility that when running in-game, UI mods will be limited so they can’t talk to any servers other than our own (and via our library at that). When code is running in the wild we obviously won’t be able to enforce that limitation, so the token you get will instead provide less access than going through a logged-in and trusted client. Initially, expect a binary system: You’ll either have full access to a character or you’ll have the ability to send data to the outside world, but not both at the same time. We want to make finer-grained controls happen eventually, but “eventually” may not happen in version 1.0 because working through the implications of every possible combination of mix-and-match permissions is not something that can or should be rushed. As a first step the “limited information but with outside access” may become an alternate mode when running in the client.
The “limited” mode will still include nearly all social and economic data, though. What we’re unlikely to provide when code has access to outside servers is realtime, detailed combat data, exact locations, and similar things that pertain to the action immediately occurring in the game world. We want to actively prevent anything resembling a “global shared hivemind” radar/GPS overlay, so expect information with immediate tactical value to be aggregated, summarized, and deliberately lagged when viewed from the outside."
The "don't destroy the server" message wasn't to players, it was a rule of thumb for the CSE devs to keep in mind while creating this system.
Yes, I read all of that. None of it however answers any of my questions. If it had, I wouldn't have asked them.
Chat they've already said will be real time. Its going to be the exact same system outside of game as it is inside of game. How are they going to address the potential for DDOS'ing in game chat servers?
The level of scripting allowed and UI customization is going to facilitate a number of frowned upon macros and scripts that most games intentionally limit customization to prevent. How are they going to prevent scripts that are frowned upon in the PvP community?
The level of access outside of game is greater than other higher budget MMOs that already continually struggle with security. How are they going to address this increased risk when companies with larger budgets are struggling with security while allowing less access?
Right.
Here's the thing:
WoW has a hugely customizeable UI and Add-On / scripting capability. WoW doesn't generally get hacked.
They're basically replacing lua / XML with HTML and a limited javascript API.
Sure they'll have to be a bit careful, but I don't see the major difference between existing WoW Addons and XML and what Andrew proposed. From a security perspective, it doesn't seem to be too different. There's data that is accessible to the client, and a subset of data that is accessible to addons / UI. From there, he's stating that there will be another constraint limiting data externally (e.g. to the web).
So while the potential of hacks / etc is there, I don't see it as larger than other games.
The DDOS question will be more interesting though, if you can input from from the web (e.g. chat). That will hopefully be something they investigate very carefully. Otherwise I'd be happy with an export-only capability. Good enough to datamine and camelotherald IMO if fancy won't work.
I want them to explain why I shouldn't be worried about these things.
Why should players not be concered if servers or databases are accessible outside of the game client?
Why should players not be concered with DDOS attacks of chat servers for guilds and realms if they are accessible outside of the client?
Why should players not be concered with the level of UI modification, hacking, and scripting being abused to make unfair macros and cheats/hacks?
http://www.pcmag.com/slideshow/story/303629/hacker-apocalypse-strikes-world-of-warcraft
Thats simply one example...
"Stormwind, jewel of Azeroth. Orgrimmar, the point of Kalimdor's spear. Both iconic World of Warcraft cities were struck by a mysterious plague that killed off hundreds if not thousands of players. You can imagine that the streets ran red with blood. (You'll have to; there is no blood in WoW.) Skeletons (the unmoving kind) were stacked high in the streets and buildings. The dead ruled World of Warcraft that day.
Blizzard instantly formed a crack strike team to investigate what was now called the “WoW apocalypse,” or the “WoW mass murder hack." The obvious conclusion? Hackers. Griefers of the worst order."
This is of course a game that gives less access to their servers than CU is claiming they will. They also have a much larger budget.
How does any online game prevent the entire game from being hit with a DDOS attack? The fact that the UI is based on web infrastructure doesnt really make this any easier.
If it is an issue, there are methods you can use to combat DDOS attacks.
What exactly do you want? They arent going to give you exact internal specifications and most people wouldnt understand if they did. You dont want that stuff public anyway, the only reason to need it is for trying to find a way around it.
I hope I wasn't the only one that got The Tick reference there.
I like the idea behind the web UI. Be nice to keep in touch with people on the go, while they're in game.
The add-ons are a different thing all together. For a game that is against hand-holding, I think add-ons will be a counter to this. Not to mention that some add-ons might become so good, that you are gimping yourself for not using it.
I'm all for free reign of add-ons on a test server. Then permitting it doesn't crash things, submitted to the testing team to see if it a) works, b) doesn't break stuff, c) doesn't go against the FPs and d) approved by Andrew's team as being hack free. Then it should be available to the players as a drop-run option or else in the game's base UI available for everyone straight from the game. That way it's not coming from a 3rd party, approved by CSE, and tested for hacks and viruses.
Sorry, the part I was reffering to as far as DDOSing goes is this...
"Have you ever wanted access to your guild chat from someplace other than a full-on game client? It’ll be right there at www.camelot-unchained.com/guildchat (link doesn’t work…yet). This won’t be some lesser, limited version of what you have in-game; it will be the exact version from the game. Access to characters? Statistics for your realm? The state of the war and frontiers? All there."
It wasn't simply because the UI was based on web infrastructure.
I've explained what I want, I want MJ or someone from CSE to explain why I shouldn't concern myself with DDOS attacks on chat systems that are fully accessible outside of game.
How does any online game prevent the entire game from being hit with a DDOS attack? The fact that the UI is based on web infrastructure doesnt really make this any easier.
If it is an issue, there are methods you can use to combat DDOS attacks.
What exactly do you want? They arent going to give you exact internal specifications and most people wouldnt understand if they did. You dont want that stuff public anyway, the only reason to need it is for trying to find a way around it.
Sorry, the part I was reffering to as far as DDOSing goes is this...
"Have you ever wanted access to your guild chat from someplace other than a full-on game client? Itll be right there at www.camelot-unchained.com/guildchat (link doesnt work yet). This wont be some lesser, limited version of what you have in-game; it will be the exact version from the game. Access to characters? Statistics for your realm? The state of the war and frontiers? All there."
It wasn't simply because the UI was based on web infrastructure.
I've explained what I want, I want MJ or someone from CSE to explain why I shouldn't concern myself with DDOS attacks on chat systems that are fully accessible outside of game.
I would email them if you want a direct reply.
Im going to suspend my disbelief for a moment and just give in to all of your arguments.
If we assume for a moment that DDOS attacks would work against an opposing guild's chat. Any minor strategic advantage would be countered out by the difficulty of what you are proposing and the penalties for being caught. Why would anyone bother? Seriously, every guild has voice chat now.
Better go warn Ventrillo too about DDOS attacks existing, since you apparently think that youre the only one whose ever heard of them.
Seriously, these guys have been designing online games for years, but "oh noes!! they gonna get pwned by DDOS attacks!!!1". They arent any more of a target than anyone else.