Intrusive player-run bots

[Traderjill]

For the most part, bot programs in AO have provided useful tools and services that were otherwise lacking from the game. I am however really concerned by the rather questionable means in which some bots are being used to gather, store and provide information on players.

I was on AOSpeak awhile back when a guy informed me that some Omni run bot is basically tracking everyone's log on and log off time to compile a list of any given toon's potential alts. To prove his point, he ran an alts list on me and surprisingly enough the list was about 90% accurate (at least for toons that are indeed on the account containing Traderjill). This felt really intrusive to me, especially for a video game but ok.. not like he can tie that in to characters on another account. Well apparently that isn't the case as there's an element to the alts functionality that allows you to compare any two toons and determine the likelihood that toon A is an alt of toon B.

I understand this is the internet and there is no such thing as true security but this feels a bit over the top for me. I got into a rather lengthy conversation with a Clan friend of mine this morning that pretty much blew my mind. The alts command seems to be just one piece of the puzzle, he went as far as to say that some people have found a way to hack something in the game that gives them the ability to read private chats and are using that information as part of some sort of spy game. Of course 15 minutes after I had that conversation I saw a related post in game suggestions:

While battlestation actually centres around PVP, tower wars centre around dubious tactics, hacking/worming out clientside contained information to enhance intel on opposition movement. That isn't PVP, that's real life comp lit providing advantage that exceeds the battery limits imposed by the actual EULA and game builders intentions.

I'm not sure what McKnuckle means by "Hacking/worming out clientside contained information" but if there's any ounce of truth to this claim it seems that we have a problem.

I honestly have no idea who would even address this. I remember Genele kinda turning exploiting back on players by saying that we don't report things but report what? It doesn't seem like it is technically exploiting to simply gather information, to start. Secondly, I've not seen any of this used first hand.. not even the alts thing as that was communicated to me over AOSpeak. All I have are rumors and I'm not tech-savy enough to even begin to understand how this is being done (if it is being done).

Anyway, just posting here with the hopes that maybe some people that know or have access to these questionable bot tools are willing to contact Funcom with details so that maybe they can fix whatever is being manipulated. Far-fetched request, I know, but I at least had to try. Honestly, the whole thing just makes me feel uncomfortable with playing the game. It isn't that anything that I say or do in game is so hush-hush that I care if the entire game knows but wow.

[sannz]

Creating estimated alt lists? Well, you can remove a great part of the automation by killing the "Peoples of RubiKa"-DB. Just have FC stop supplying that DB that allows those helpful little bots to look up what level a player is, what faction he is, etc. Kill that, and those intrusive bots would still be around, but would have to be fed by actual human beings with player names.
If you were to put it to a vote, I'm pretty sure the bots and the People of RK DB will go on working for as long as the game will be around. You need to choose here, you can't have it both ways.
Suppose you can compare it to card counting at Black Jack. That's just simple statistics, and everyone does it in a subconcious way. Casinos call it "cheating". But is it really cheating when you apply a bit of math to a problem? Surely not, if you ask me.

As for the technical side... it's not too hard.
0) know a bit about database models and design
1) calculate the average relog time. you can do that by timing yourself or unwitting friends and bystanders
2) Log every logon & logoff in the friendslist populated by the People of RK DB. Obviously this will require many many many bot toons running parallel.
3) Calculate every logon following any logoff for the avg relog time.
4) Use counters for each "logoff-logon-hit" (increase counter +1)
5) the higher the counter, the higher the chance that those two are related.
6) use relations between hitcounts and fitting names to estimate the alt lists. Data point clusters come to mind.
7) profit.

A 2nd semester IT student should be able to pull that off.

I'm not sure what McKnuckle means by "Hacking/worming out clientside contained information" but if there's any ounce of truth to this claim it seems that we have a problem.

Well, imagine what would happen if the Perception vs Concealment calculations were done on the clients instead of the servers.

I suppose some of the flaws are by design. Back when AO was developed, handling all the calculations that should be server side could not be handled server side, as the computing power and more importantly response times simply weren't available in a way that could have been afforded. These issues have been addressed in the past, many have been fixed.
Look at a certain third party program that lets you catalog your backpack contents. It does so by accessing AOs process. Injecting itself, if you wish, as a virus or trojan might. The AO code does not make it hard to read data, once you learn what to look for. Neither is it hard to interpret or even simulate AO network traffic as has been shown in the past. So yea... meh.

I hope this was not too deep a dive into the murky waters that are the discussion of exploitable features and bugs.

[Traderjill]

The tech part I'm not clear on wasn't formulating an algorithm to calculate alts but moreso how people are able to read chat that they are not legitimately a part of in-game. But yep, I see your point in that once you know what to look for it should hypothetically be easy to pull out what you want. I don't think I have an issue with someone doing that for information they are already privy to (i.e. AOIA inventory) but it seems to be a problem if players have figured out how to do it for information they are NOT privy to by normal in-game means. It is that specific type of situation that concerns me a bit.

Regarding the alts list. I don't think it should again come down to a 'you can't have it all' policy. Why is anyone in game concerned with someone else's alts? Is it because they're searching for a friend or is it because they're wanting to use it to potentially identify so-called cross-faction spies? Are people able to use this information to harass/bother other players on toons that maybe they've logged to because they wish to be left alone? This is a video game that is supposed to be for fun. I should be able to log to a toon that no one knows and play the game (if I want) anonymously. I am probably doing a bad job of explaining my concern.

I guess this was just one more nail in the coffin for me. AO used to be really entertaining to play and now it seems like if people aren't flat out taking advantage of game mechanics or afk-playing via scripts that they're doing something else that I wouldn't even begin to imagine doing in a video game.

Seems like less and less people want to play the game legitimately.. I'm not sure why they stick around if their only method to 'win' is to cheat.

[lainbr]

You can also track alts with more acurace using a neural web algorithm, what can figure out who is who by itself. Really easy to implement if you have acccess to log in / out data (which you said they have)

It cam be used to check if certain player is on, spies, pppl that hides alts for any reason... etc
.. Just wayyyyyyyyyyy toooo wrong. And if it is just the tip of the iceberg.... it is BAD.

[Mamman]

Would it help to remove the online/offline indicator on people you sent a message to and add a dialogue saying "Player X wants to befriend you, accept/don't accept?"

[Nomad]

funcom has fixed most issues like this

... in the secret world. all the suggestions and problem fixes in ao over the development of tsw was put in that game, not here

doubt stuff like this can be fixed unless they make ao2

[Lheann]

Well I guess it would be technically possible to force the client to connect to chat channels that you would normally not have access too because the client would not subscribe to them due to faction or organization or zone. Then a client could get the chat data of those groups and use it however they wanted. This could be a huge problem if used in PVP settings such as towers. I have no specific knowledge of how this would be achieved but we do know that it is possible to make third party chat programs attach to AO chat. Forcing them to bypass eligible checks for a chat should not be that hard to do. Once you have a chat stream you can use a bot to parse the data however you want and input it into any tools like the methods discussed above. Likewise any information the client has or computes is accessible to someone who puts in the time to access it. The question is who has more info on this and are they willing to share it.

Ultimately this a FC failure to not disallow tools like Clicksaver or AOIA that use the AOHooks.dll file or other similar code injection tools a long time ago. It was only a matter of time till someone figured out how to use AOHooks or other similar tools as a starting point to access all info in the client. The next question I have and this is seriously a question, would all of this client access be possible in opening a path where GM commands could be faked to the servers? I mean if someone is forcing there way into chat channels they are excluded from as Jill seems to have come across then bypassing checks for allowed/disallowed actions is possible. All of the above comments are just touching on the beginning of what could be a huge issue for AO. Has someone hacked the client to the point that they can bypass the safety/security layers FC has in place?

Does FC have audit tools that can run against chat channels and look for toons that should not have access to that channel? Are they constant monitoring or are they manually run tools? At what layer is the command validation processed? OK I don't actually expect an answer to that one as it is critical to security. But I think the point is made.

Maybe I am reaching, but history with AO has taught me that when people start discussing something (knowledge is getting around) that something has replaced or improved on it and is now the must keep to ourselves secret. So accessing chat channels they don't have access to is a big deal yes but it is the mechanics of that effort that present a much bigger issue.

[Cratertina]

This Is just proper thread of the age. With NSA loging all coms, soon ordinary people with skill will be able too. If anything, this improves gaming realism.

Is it right? No. But it is normal, pretty much when you subscribe to the internet, you are gicing away privacy. There is no complete security.

Thrn again, as long as my accounts dont get hacked, I am happy with that. For any chat I have online, I have in back of my head a realization: Everything I say can and probably wont be used against me.

I run org bot, sometimes communication gets quite funny.

[Dysfunction]

I'm aware of one person that has access to the bot in question, while I do admit the features are pretty cool it's just not something I personally am interested in or am afraid of. Though I do see valid reasons for concerns. Funcom is pretty much a reactive company and not really proactive at stopping things like this, but they were pretty quick to destroy the clan tower bot near the beginning of the server merge..... That made me kinda sad :/

[Traderjill]

<snip>
Has someone hacked the client to the point that they can bypass the safety/security layers FC has in place?
<snip>

Your entire post was spot-on and did a much better job of expressing the root of my concerns than I was capable of doing.

[Lliers]

Ultimately this a FC failure to not disallow tools like Clicksaver or AOIA that use the AOHooks.dll file or other similar code injection tools a long time ago. It was only a matter of time till someone figured out how to use AOHooks or other similar tools as a starting point to access all info in the client.

Denying the ability to hook into AO or running chat bots would significantly hurt the game, as these tools have become an essential part of the game play. Exploits and player harassment are violations of EULA, so if FC devs decide to handle issues by closing individual loop-holes or banning/closing specific bots, it would be a viable solution, but this becomes an arms race and FC devs end up spending a vast amount of time chasing down each violation instead of core development of the game. So that's bad for AO.

Alternatively, FC devs could simply address this problem as a whole and prevent any possibility of chat bots or client hooking, which has been shown as the paradigm that FC uses to address problems like this. Well, can you imagine a AO world without org bots, Clicksaver, and AOIA? these tools have become an integral part of my AO experience, and I don't see FC devs spending resources implementing these features themselves. So this is also bad for AO.

I can't think of a good middle-ground solution.

[fakiiri]

Putting alt/online status checks aside hacking into private/org chats is another matter.
Something that would ultimately cause jail time. Even when done in game chat.
I've also heard that there is an bot doing these things..

[Cratertina]

What we need now is OT-Prison, a zone that looks like a prison, where we stuff these offenders... and has no zone button to exit. Whoever hacks someone elses client most probably is in breach and violation of some kind.

[Badthing]

Thats kinda old news and nope Funcom doesnt care at all as we have already reported this and other issues years ago through a number of ways. They will look into it. Since years.
If you wonder how far this goes: its possible to track down anyones character position in the game which is of course especially an issue when it comes down to notum wars (hint: unfair advantage).

As for how its getting done, try google packet sniffing / injection.

[fakiiri]

Being easy does not make it any legal. Its still a security breach. There is lot more than game related chats goin on. Even exchanging private information like email addresses and phone numbers.

This should be a huge red flag for funcom.

[Emma]

Yes, potentially anyways ...

I know that many of us, including myself, have the "Expectation of Privacy" with respect to information exchanged in Tells between toons. If this is truly not the case then I believe Funcom has an issue to resolve.

Emma

[Freqflyerdnt]

"Expectation of Privacy" with the possibility of FC pulling records of it if needs be, is my stance.
As for players possibly being able to get it.
That is severely worrisome

[Psikie]

I don't see it as that big of a deal on the alts list. Most raid bots already have your listing of alts anyway. If you look at an org listing it's generally not too difficult to locate most of someone's alts either if they use similar naming. For example Jill, it's a simple matter to check 1-3 raidbots and do whois "Jill" to get a good sample of your alts. Then compare that to your main org, eliminate any 220/30 traders because it is unlikely you would have 2, and go down the list for your other alts. Marking off any duplicate 220/30's etc etc. Then throw in "online vs last seen" to further narrow the list down for irregular online times. If most your alts are on 3pm to midnight. Any remaining toons that normally log on from 3am to noon eliminate from listing etc etc.

I can see the use for towers, making sure the best players are not online which is kinda funny but I've seen bots that do that for years just by adding them to "notify on" manually.

As far as the chat logs...hrm I don't really know how someone would/could do that unless they accessed them directly from you personal PC hard drive.

[McKnuckleSamwich]

All this talk about alts and such is so much less of a big deal than this:

Bots logging other players log on/ log off habits to find play hours to find the best time to attack their bases to arrive with highest probability of no defence.

[Freqflyerdnt]

Knuckle I can see the issue with that, but could also be done by a couple of people. Just start a bot or even use an existing org bot have whoever you wan to monitor in the bot's notify list.
Note it down. Granted, if someone is doing this manually they are either very dedicated or, for lack of better words: no-lifers.

Psikie, maybe using "chat logs" is the wrong wording. I think it isn't so much the capacity might exist to access chat history. More a case of people being able to watch live chats as they happen. And ofc this could then be logged on the watchers' side.(Assuming it is done/is possible of being done)