[Raewyn]

Dear Everyone,

It is daunting and unfortunate to see the fall of beautifully authored worlds caused by theft, exploits, or other vulnerabilities. Whether or not "our code was taken" will forever be a cliche within the community is uncertain, but regardless of how much intellectual property, source code, or binaries are protected, it still begs the question, "Why do bugs still make their way into our realms?"

I pose this question. In your experience, if you were to choose 5-10 different types of exploits / vulnerabilities, such as shell access, in-game inconsistencies, buffer overflows, players themselves, staff members, bribes in administration, politics, or others, how would you rank them both in terms of their danger to your world and in terms of their frequency? How often do they occur? How dangerous are they when they occur?

Finally, in your opinion and if you would not mind sharing, what was the cause of the exploit and how did you prevent it from happening again (or were you proactive in preventing it?)?

Perhaps one day the dissonance in the harmony will end. We're just trying to create a fun world, right?

Sincerely,

Raewyn

[Robbert]

1. Owner ignorance. This involves the owner asking someone to code for them and the programmer 'steals' the code after getting access (Frequent) (Very damaging)

2. Immortal disillusionment. Immortal with access becomes disillusioned with the progress of the game, and acquires a copy of the source. (Common) (Most Damaging, because Immortal can lure players away)

3. Owner ignorance, v2. This involves the owner having s incorrect permissions set on their shell account, giving access to unscrupulous users within the shell. (Occasionally) (Limited Damage, those who do this usually are too ignorant to run the game)

4. In-game advantages. This is where there is a flaw in the design of the game, allowing the violator to advance significantly over their peers in a short period of time. Usually the result of improper programming or design. (Frequent) (Damaging until resolved)

[fjin]

I guess you really meant Crackers - instead of Hackers.

[Molly]

1. I guess the main thing to think about is to be very careful about WHO you let into your shell.
Never hire coders 'from the street'.
Never give anyone shell access at all, unless you know them well in RL, or have worked with them for a long time on line, and know that they are trustworthy, that you get along personally, and have basically the same goals for the Mud.
And make sure that your shell security is high.

2. Apart from shell security i'd say that the biggest danger of a Mud going bad is cheating and/or corrupt imms. Again it boils down to who you trust with an imm char. And if, despite your precautions, you end up with a bad egg in the imm basket, slam down on it hard. Throw untrustworthy imms out immediately. No second chances, they'll most likely abuse those as well.

3. As for the players, I think rumour mongers are the worst. Rumours spread incredibly fast in a mud, and if they are malicious ones, they can be really detrimental to the society, because they affect player relations and break down trust. A certain type of players seem to like to spread malicious rumours or blatant lies just out of spite, best keep an eye on those.

4. ddos is hard to protect against, even big companies have had their websites brought down by this. We had a couple of rogue players ddos the mud some years ago after getting into a brawl with some other players, and in the worst case, (which happened on a friday night when the coder was away for the weekend), the mud was down three days.  After that extensive measures were taken to make the server more safe against attacks, and they in turn have lead to some secondary technical problems that are a pain in the ass.

5. Bad scripting or  badly balanced features can lead to a lot of grief, if a few unscrupulous players find out about them before they can be fixed, and take advantage of them on a massive scale. (This is reasonably easy to remedy once you get aware of the problem, but you must know that it exists, before you can do anything). Try to get your players to report all bugs, it helps a lot.

[Enigma]

There is one thing we have found very effective as a deterent against in game cheaters (the other problems were all solved long ago but despite stringent quality control new areas/items/spells/classes occasionally provide players some new bug to abuse).

That is that rather than fixing a bug immediately sometimes we just log everyone using it and leave it for a week or a month before fixing it.

At that point all people abusing it can expect to see characters deleted and/or suspended. Naturally people who reported the bug to us instead of exploiting it don't get in trouble :-)

It's amazing how many people start reporting bugs instead of exploiting them for a few years after we do that :-)

[the_logos]

One potentially valuable tool that nobody's mentioned is statistical work. For instance, to take a simple example, if your in-game currency is gold, you can easily track how much gold is in the game, how much is produced daily and how much is consumed daily. A significant jump over your average daily production would tell you that you need to look for duping exploits or quest exploits or exploits in however players produce gold.

Can do the same thing with any resource in-game. For instance, we've found a few quest exploits by just ensuring we record all xp and gold gotten from doing quests and then looking for quests which are suddenly producing more xp and gold than they historically have.

Stats are your friend. You can't keep enough of them.

--matt

Quote:

Originally Posted by (Raewyn @ Feb. 03 2005,17:59) "Why do bugs still make their way into our realms?"

Short answer. You suck or whoever coded your game sucks. ;-)

Quote:

Originally Posted by (Raewyn @ Feb. 03 2005,17:59) Finally, in your opinion and if you would not mind sharing, what was the cause of the exploit and how did you prevent it from happening again (or were you proactive in preventing it?)?

All the advice on securing your server, your shell and your source is sound. Those attacking your mud from outside the mud are the problem children.

I personally don't consider anyone who exploit bugs or takes advantage of any flaw (or perceived flaw) in the game to be a cheater at all. Even repeatedly crashing the game is fair play as far as I'm concerned. IMO, the only people who can cheat in a mud are immortals (By can I mean have the capability).

[the_logos]

Quote:

Originally Posted by (Tyche @ Feb. 16 2005,02:13) I personally don't  consider anyone who exploit bugs or takes advantage of any flaw (or perceived flaw) in the game to be a cheater at all.   Even repeatedly crashing the game is fair play as far as I'm concerned.   IMO, the only people who can cheat in a mud are immortals (By can I mean have the capability).

"Cheater" is just a name, imbued with whatever value you choose to place on it.

Regardless, the reality is that the game operator has absolute discretion in terms of defining cheating in any meaningful way. You may not feel you're cheating if you're crashing the game repeatedly, but you' d be banned and, if you somehow found a way to do it such that you couldn't be quickly stopped, you'd also quickly be sued in the case of a commercial MUD, and you'd lose. I'm guessing criminal penalties would also be applicable but I'm not a lawyer.

So I mean, whether it's "cheating" or not doesn't really matter. It's semantics. If the developer feels certain players or actions are harming the developers interests (which are generally oriented around ensuring its players are generally enjoying themselves), the developer is going to take action (and reasonably so).

--matt

[KaVir]

Quote:

Originally Posted by (Tyche @ Feb. 16 2005,08:13) Quote: Originally Posted by (Raewyn @ Feb. 03 2005,17:59) "Why do bugs still make their way into our realms?" Short answer.  You suck or whoever coded your game sucks. ;-)

Don't joke - I've heard people who really thought that, and some readers might take your comment seriously.

“There is a myth that if we were really good at programming, there would be no bugs to catch. If only we could really concentrate, if only everyone used structured programming, top-down design, decision tables, if programs were written in SQUISH, if we had the right silver bullets, then there would be no bugs. So goes the myth. There are bugs, the myth says, because we are bad at what we do; and if we are bad at it, we should feel guilty about it. Therefore, testing and test case design is an admission of failure, which instills a goodly dose of guilt. And the tedium of testing is just punishment for our errors. Punishment for what? For being Human? Guilt for what? For failing to achieve inhuman perfection? For not distinguishing between what another programmer thinks and what he says? For failing to be telepathic? For not solving human communication problems that have been kicked around... for forty centuries?” -- Beizer, 1990, quoted in [Pressman-01].

A study by DeMarco and Lister (the authors of peopleware) concluded that professional programmers average 1.2 bugs for every 200 lines of code they write. Now remember that most muds are very large, and that most mud coders are not professionals.

Quote:

Originally Posted by I personally don't consider anyone who exploit bugs or takes advantage of any flaw (or perceived flaw) in the game to be a cheater at all. Even repeatedly crashing the game is fair play as far as I'm concerned.

Having your users test your software is a great way to track down problems, but they need to have the incentive to want the problems fixed. Take an example like Microsoft - almost all of their customers want to have a secure and stable system, therefore they're personally going to benefit from reporting bugs. On the other hand, imagine if it was a piece of banking software and you said to your customers "You can exploit bugs or take advantage of any flaw without repercussions". Do you really think anyone would report how they could make the machine give them free bank notes? On the other hand, if you said that such exploitation was theft, you'd find more people willing to inform you - and if you offered a large financial reward for such information, you'd find people deliberately trying to find and report the bugs purely to claim the reward.

In a mud, the usual approach is to punish those who exploit bugs, and/or reward those who report them. If the reward is greater than the benefit gained from the bug, and/or the punishment severe enough to not make the risk of being caught worthwhile, then the number of people exploiting bugs will decrease.

On the other hand, if you offer no punishment or reward, the player will be encouraged to keep using the bug and not reveal it. This can often be detremental to the enjoyment of the rest of the players, and also forces the developers to waste a lot of their time tracking down bugs instead of improving the game.

Quote:

Originally Posted by (the_logos @ Feb. 16 2005,04:10) "Cheater" is just a name, imbued with whatever value you choose to place on it.

That's right. It's also a very localized perception of how a particular game ought to work by a subset of a game's players, and/or more importantly the admins running them. What constitutes cheating on your game, ain't cheating on my game, and may or may not be cheating on Buffy's game. Furthermore we ought to acknowledge that it is largely bereft on any real world moral value. The players shouting "Hey batter batter! Swing!" to rattle the batter in a baseball game go out on the links and shout "Hey duffer duffer! Swing" and suddenly find themselves to be dirty rotten cheatin' scoundrels at golf. Not so copyright infringement or unauthorized shell access. Those are quite different in my mind than what occurs within our games.

Of course it's only fair to acknowledge those things which we must assert which are beyond our control as well. Regardless of whether we agree, the laws of our country/state on the operation of an internet service, the terms of one's ISP, upstream provider or mud service provider give cause that we must assign and enforce a morality in our games.

And yet people who admin certain muds thoughts on what cheating is or is not, are remarkably similar and can often be shown to be a direct result of being imprisoned in procedures and practices associated with a particularly poorly designed or implemented game. Dare I mention that multi-playing and user scripting are great and wonderful features of muds in a crowded room of Diku admins? I recall reading a post sometime back where a mud admin was lamenting the scoundrels who designed foul clients like Zmud and MushClient that have *gasp* triggers, *gasp* scripting, and *gasp* multi-session capability. What sort of unscrupulous people would give players those powers?! Tut tut.

Quote:

Originally Posted by (the_logos @ Feb. 16 2005,04:10) Regardless, the reality is that the game operator has absolute discretion in terms of defining cheating in any meaningful way.

I'm less interested in admin's rights, but rather the effects. I and every other admin know that we can do pretty much anything we want to players, including breaking our own rules. We can torture, maim, mock, harass, delete, exile, imprison, jail, silence, and ban the buggers for any reason. We can make up the reasons. They don't have to be consistent, they don't have to make sense, they can be ex post facto, and they don't have to be, and rarely if ever are, objective. No it's not our rights, but invoking them every time something goes wrong in our narrow little worlds I find to be sad. I think it's more of a social design principle I'm trying to express:
Big brother really really sucks. The less you have to invoke your rights, the much better off your game and players will be. The more you extend powers to players or enable them to enforce their own rights, the happier both you and they'll be.

I would add that there are plenty of people playing muds who don't want freedom. Not to worry as there is little danger of games and mud admins who view themselves as big brother or sister that treat players like subjects will disappear. :-)

[the_logos]

Quote:

Originally Posted by Furthermore we ought to acknowledge that it is largely bereft on any real world  moral value.  The players shouting "Hey batter batter! Swing!" to rattle the batter in a baseball game go out on the links and shout "Hey duffer duffer! Swing" and suddenly find themselves to be dirty rotten cheatin' scoundrels at golf.  Not so copyright infringement or unauthorized shell access.  Those are quite different in my mind than what occurs within our games.

Well, morality is of course a personal thing. Quite a lot of people on these forums, for instance, seem to think there's nothing wrong with copyright infringement. I disagree, but will recognize it's a personal matter when it comes to morality. Happily, in the end, it's not the morality of it that matters, but the reality of it, which, as you recognize, is that the power is with the game operators and those whose side the law is on.

Quote:

Originally Posted by Big brother really really sucks.  The less you have to invoke your rights, the much better off your game and players will be.  The more you extend powers to players or enable them to enforce their own rights, the happier both you and they'll be.

Better is as subjective as morality. What's better to one person isn't better to another. Remember LambdaMoo, after all. Their players were so unhappy governing themselves they turned power back over to the admins.

What is nice about having admins in charge is that the rights that need enforcing can be laid out from above. When put in the hands of players, there will be no consensus about what rights one has against other people that need enforcing. I may feel that it is my right to a free education on your dime, for instance. You may disagree. I may feel it's my right to be free of all OOCness around me. You may disagree. Admins are able to simply lay out what rights you have and don't have as respects other players, leaving everyone playing on the same field.

--matt

[KaVir]

Quote:

Originally Posted by (the_logos @ Feb. 17 2005,00:49) Quite a lot of people on these forums, for instance, seem to think there's nothing wrong with copyright infringement. I disagree, but will recognize it's a personal matter when it comes to morality.

If you disagree, then why did you all but encourage people to violate the Diku licence?

I think it's fairly obvious to most of us that your definition of "morality" means anything that helps promote your games, and to be honest I'm getting thoroughly sick of your constant stream of veiled insults towards other forum members. Take your flamebait somewhere else.

[the_logos]

Quote:

Originally Posted by Quote: Originally Posted by the_logos,Feb. 17 2005,00:49 Quite a lot of people on these forums, for instance, seem to think there's nothing wrong with copyright infringement. I disagree, but will recognize it's a personal matter when it comes to morality. If you disagree, then why did you all but encourage people to violate the Diku licence?

What I wrote is completely ethically neutral. There ARE people on this forum who see nothing wrong with copyright infringement. There are multiple members of the forum that openly violate the Lucas license, for instance. I think it's wrong, but if Lucas doesn't care enough to do anything about it, I don't either.

I have never encouraged anyone to violate the Diku license. I've stated, multiple times, that your interpretation of the DIKU license is naive and fatally flawed. You've taken offence at that. Understandable. Your entire MUD identity is built on your little crusade and nothing can be allowed to threaten that belief system. The DIKU license prohibits revenue, not profit in your mind. The DIKU license prohibits making money from it at all, not just making money from distribution. American law exists in statute, not in case law. These are your beliefs, and though they're not grounded in reality, you're welcome to take refuge in them.

Quote:

Originally Posted by I think it's fairly obvious to most of us that your definition of "morality" means anything that helps promote your games, and to be honest I'm getting thoroughly sick of your constant stream of veiled insults towards other forum members.  Take your flamebait somewhere else.

So young, so bitter.

--matt

[KaVir]

Quote:

Originally Posted by (the_logos @ Feb. 17 2005,11<!--emo&:0) I have never encouraged anyone to violate the Diku license.

You listed a number of opinions which went against the stated wishes of the Diku team and claimed that they were "easy, essentially rock-solid ways to avoid violating the license" (while profiting from the code), and then went on to say that you'd "be happy to help any mud that wants it do this" and that "it's never going to get to court as the license holders suffer no damage from third parties generating revenue from DIKU".  That sure sounds like encouragement to me, and not at all "ethically neutral".

Quote:

Originally Posted by Your entire MUD identity is built on your little crusade

No, my mud identity is built on having created the most popular PK codebase on the net, and was well established long before you started creating your first mud.  My interest in defending the rights of mud developers is just a sideline interest.

[the_logos]

Quote:

Originally Posted by (KaVir @ Feb. 17 2005,05:46) No, my mud identity is built on having created the most popular PK codebase on the net, and was well established long before you started creating your first mud.  My interest in defending the rights of mud developers is just a sideline interest.

Quote:

Originally Posted by You listed a number of opinions which went against the stated wishes of the Diku team and claimed that they were "easy, essentially rock-solid ways to avoid violating the license"

So, what you're saying is that I offered to help show people how to not violate the license? Is that what you're accusing me of? My god, that's quite a strong accusation to make.

I realize you have historically had a difficult time understanding this, but what the DIKU team says is not really relevant to the license itself. (and it's not certain, by any means, that the DIKU team owns the license. It's reasonably likely that if it went to court it'd turn out to be owned by the university, whom Hans & company are not representatives of.) Licenses stand on their own, and in American IP law at least, the onus is on the contract drafter to spell out what the terms of the contract are before the contract is executed. What the contract drafter says afterwards is no more relevant than what the contract accepter says afterwards. It's not as if Raymond Feist could speak up now and change the terms of the license he granted us now just because he felt he left something out of the license.

What you constantly insist on is that people follow provisions of the license that don't exist. You're welcome to do that, but there's no reason for people to care about your version of the license.

Quote:

Originally Posted by My interest in defending the rights of mud developers is just a sideline interest.

You're not interested in defending the rights of mud developers. You're interested in restricting their rights by trying to impose non-existent license terms on them.

--matt

[Valg]

the_logos: I realize you have historically had a difficult time understanding this, but what the DIKU team says is not really relevant to the license itself.

There's always the issue of respecting the stated wishes of the people who provided the codebase to the greater community (*), rather than trying to invent ways to weasel around their words and intent.  However, I realize you have historically had a difficult time understanding ethics.

(*): Insert your tired "rising tide raises all ships" cliche here.  Not that you ever pass up chances to deride the rest of the community.  But we like to play along when you ooze up to the podium and smarm it out.  You're cute when you 'umbly get all Uriah Heep.