Guild Wars 2

Dear ArenaNet,

Today I read a very interesting blog post by TenTonHammer

There seems to be a 500% magic find exploit out there along with:

• Teleport.
• Running speed.
• Wall hack.
  And so on.

I figure this happens because of your architecture, most MMOs run everything from the server side, so it’s very difficult to mess with the stats of characters and modifiers, but since this is free to play I’m assuming you ask the clients for critical information in order to leave a lot of the processing on them, instead of the servers, this leads to his awful hacks to be possible.

I can’t even begin to believe that there are open forums where you can download free hacks and bots that work.

So on to the suggestions:

• Special anti bot task force should dedicate time to search for bots on google, you know the regular queries (free, bot, gw2, exploit, hack, etc), doing this I was able to find dozens of websites and open forums where people get together to talk and test all of this stuff. There are download links too, so you could install these bots and analyze how they work better, I honestly would if I had the time but this is something that a successful game should be able to pull of.
• Client side PunkBuster or something like it: It’s pretty simple, since this is your game and we all accept the user agreement you should add a little stand alone mandatory punk-buster like software to look for hacks and “trainers” on the client, I know that punk buster has been bypassed by the best hackers but doing no checking on the client side is way worse than implementing something like this.
• Finally, make the game more accessible, most of us were super willing to support your company from the get go, on my guild’s forum poll I chose along with others on a category named “Will probably spend more than 15 usd a month on Gw2”, but you know what? Your game handling has been disappointing, trying your best to sell BLC keys is one of the worst strategies I have ever seen, also, most of the stuff is quite expensive. You didn’t remove the carrot on the stick, you just hid it behind RNG and stuff from the gem store. So this makes some the casual players look for alternatives to obtain what they want, I wouldn’t use bots because they would ruin the fun for me, like back in the day using cheats or trainers on pc games, it just takes the fun out for me, but for many people it’s the only way to obtain the great shinnies that you have placed in the game.

TL;DR I love the game, please look up all the free (and paid) websites that are spawning with working bots and hacks and try to stop them from ruining the game for the rest of the people.

The ONLY thing that worries me, is that the Anti hack system will beat down on innocent players. This happens a lot with Battle Eye for Arma. Or it completely glitches out and crashes the launcher as it does with xTrap for Elsword.

Since the launcher is barely stable, especially during a huge update. Adding something like that will cause more problems.

On the other hand. the bot is actually a good idea. Alongside being able to kill players that are botting. IE: If a player is reported multiple times for Botting, he is free to kill.

500% magic find?

how is that even possible?

I’m not sure they claim that 500% magic find is accurate, but the guys from TenTonHammer seem to have tested it and you could (although I do not recommend it) look it up and test it yourself, to me this is game breaking, also I found that they have the suspected Trade Post bot, which basically undercuts the lowest, so they do screw with the market and that’s how you end up with soooooooo many people placing items for 1c above vendor, the bot is doing that just to clear inventory and keep on botting.

Rufio.5648:

but since this is free to play I’m assuming you ask the clients for critical information

That’s like the most severe accusation against a development team imaginable in an MMORPG (well ok, except for generating loot for themselves).. any official statement?

I honestly feel like a client-heavy game like that would kind of wreck all of our computers. It does stand to reason that more information is client-side than is probably healthy for a game with this much ambition, as if the information were server-side there would be no feasible way to access it and manipulate it.

Antiriad.7160:

Rufio.5648:

but since this is free to play I’m assuming you ask the clients for critical information

That’s like the most severe accusation against a development team imaginable in an MMORPG (well ok, except for generating loot for themselves).. any official statement?

I assumed that due to the several times ArenaNet has explained the different issues there are right now in the game (they explain how and why player showing lag in WvW and some other exploits have happened) and also because on the bot’s forums they explain that they introduce a proxy which is the one manipulating the data it sends to the server, so yeah, I’m pretty sure it goes like this (super “dumbed down” version):
Server: getPlayerMagicFindCoefficient
Client: Here is my magicFindCoefficient

So with a proxy in the middle of them they can modify everything to their pleasure, this also explains speed and teleport hacks, they basically fool the server into thinking they should be in another place.

The most scary part is their dupe item hack which is supposed to appear on November ><

I hope a code is made to detect all these exploiters and finally http://qkme.me/3riluu

I wonder if the CPU-heaviness of the game is also based on putting all the load of stuff usually the server ought to do onto the clients actually.

In that case they might be saving some money while the actual game costs people 350 EUR :-p 50 for the game and 300 for upgrading your rig to enable it to do all the calculations that Arenanet’s servers dont feel like doing..

Isn’t not putting code on the client side one of the earliest no-no’s or game programming for anti botting?

. . .

There’s only one guy from the original GW team left on the company, right?

@ Antiriad
It might be, I mean the graphics part is usually the offender, but for a company this big it is really suspicious that they haven’t been able to “optimize” the way the graphics are drawing CPU, I think a big chunk of that CPU usage is indeed helping the servers process less data.

@GADefence
I’m with you a 100%, but if you remember, GW1 was not exactly an MMO, their servers didn’t have the load that GW2 has, this very ambitious huge MMO is F2P, and they have to cut costs to be able to maintain that, either by having a small team (they always ask us to report botters, it seems we are the outsourcing they needed) and also by having less infrastructure to support the game, again, by making the clients process as much as they can usually before being vulnerable to hacks and modifications… it seems they went a bit too far on client processing.

I would gladly pay a subscription if it would help ArenaNet have a bigger team of people, better infrastructure and tools and erase the need to have the best stuff sit behind a cash store.

Suggestion: Create an optional subscription model, organize sales (50%+ and up) for subscritors and freebies every month, much alike Sony Play Station Network Plus.

How about a simple captcha system, I suggested this in an alternate post but unfortounately legitimate suggestions that seem to simple to solve this issue get deleted before they can be read and discussed, I used to have a huge respect for Arenanet but they just keep sweeping everything under the carpet rather than handling it. If they spent half as much time working on anti bot anti hack measures as they did scouring the forums for people outing them on obvious in game crap, so they can hide it for publicity, this wouldn’t be an issue… this post in general probably won’t last much longer before it gets deleted like the rest. I am just fed up, I waited so many years for this game and put so much faith and support into Anet… and they are disappointing me at every turn, and when I ask them about it, they brush me aside in favor of keeping their visage clean. Of all the things I never considered them, it was inconsiderate of players.

ArenaNet has a staff of over 250 world-class employees. They understand and follow best practices.

The client can’t wait for the server to approve an action before showing the user the efects. The user wants to get feedback in less than the time a round-trip to the server takes. Furthermore, neither the client nor the server can expect to receive data from the other (faulty channel problem). this means that both client and server have to operate on a good-faith system. The server will permit the client to do anything the client can legitimately do. At the same time, the client will assume the server will permit the actions it relays because it knows they are valid.

Enter the hacker. By manipulating the rules the client follows, they report data to the server in a manner where the server has difficulty detecting it is invalid. It is possible to move from one location to another, and it is possible to have a large speed buff. If the server receives no data for a short while, then is told the player is at a new location, it has no choice but to accept this as valid, because it is completely possible.

I’ve played games where the server strictly validated actions. If you activated a speed boost while moving, the server would bounce you back to the last known location because ‘you moved too far for your base speed.’ Entering water had a similar effect—you had to slowly walk into water, not run. If your connection started getting bad, you would be unable to perform any actions at all. There was a quarter-second latency between clicking a button and it being added to the command queue.

The game is reasonably secure and playable. Exploiters are being dealt with. This is like the best possible case, especially with a game that has been open to the public for 2 months.

Jiggawattz.2697:

How about a simple captcha system, I suggested this in an alternate post but unfortounately legitimate suggestions that seem to simple to solve this issue get deleted before they can be read and discussed, I used to have a huge respect for Arenanet but they just keep sweeping everything under the carpet rather than handling it. If they spent half as much time working on anti bot anti hack measures as they did scouring the forums for people outing them on obvious in game crap, so they can hide it for publicity, this wouldn’t be an issue… this post in general probably won’t last much longer before it gets deleted like the rest. I am just fed up, I waited so many years for this game and put so much faith and support into Anet… and they are disappointing me at every turn, and when I ask them about it, they brush me aside in favor of keeping their visage clean. Of all the things I never considered them, it was inconsiderate of players.

The problems you think are easy to solve are, in fact, not. Hacks and exploits are an arms race. The fundamental problem is that the hacks and exploits toe the line between valid and invalid commands. The client cannot be trusted (hacks exist because the client is compromised) and the server cannot determine the maliciousness of the data it receives, only identify it as valid or not. The more strictly commands are regulated, the more burdensome it is on legitimate players.

@ Fildydarie
Nice response, thanks for adding to the thread.
I have a couple of questions though, if the server trusts what’s going on the client side, why do the most successful subscription based MMOs do not have this kind of game breaking exploits and hacks?

I’m a software engineer and I always try to set a ceiling and floor on stuff, for instance, if you have a rule that the most speed movement that can happen in the game is idk let’s say 15% then have your code so that even if they try to tamper with it, people with hacks will only get perma-speed but not above your ceiling.

This holds true with teleports and other buffs (infinite health, magic find, etc), I know the hacks with enough talent and time will come up with stuff that comes close to your preset boundaries, but at least they won’t go over them, the client should be able to tell that you can’t teleport long distances unless there is a waypoint there, and again, someone might come up with something to teleport to waypoints or stuff like that, but at least you are reducing the amount of possible hacks.

My main concern is the lack of transparency with ArenaNet, they show us shinnies and talk about the upgrades and stuff, they are trying too hard to attract new players but the most loyal players are already playing and have been following the game for 5 years, those of us are the ones that will probably still be here once the waters settle or another big MMO comes out. And to most of us playing the game right now the most important part is getting the bugs ironed out and stopping the hacks, sure botters will always exist but have them inside your boundaries, then their damage done is way less.

Hack + bot + exploit + bugs = worst case scenario.

Fildydarie.1496:

The problems you think are easy to solve are, in fact, not. Hacks and exploits are an arms race. The fundamental problem is that the hacks and exploits toe the line between valid and invalid commands. The client cannot be trusted (hacks exist because the client is compromised) and the server cannot determine the maliciousness of the data it receives, only identify it as valid or not. The more strictly commands are regulated, the more burdensome it is on legitimate players.

A captcha system is server side, meaning it would rely on their web server, in which case a “hacked” client would not be able to forge it because it required human input. This system has been used effectively in so many games. Also I do not believe hacking an botting is easy to solve, I know it is troublesome, and even with the captcha system in place it would be a modest decrease in cheating. That being said I am outraged not by the botting, but by the effort, the non stop effort put behind covering things up while the problem itself has had little effort put into it at all. We have seen one security update since the game started, and it failed to do anything effective. At least they tried, but one security patch in over a month of release on something that should have never been possible in the first place is horrible. I know there are problems that are not easy to fix, that is why I am frustrated that there has been so little attention to them. There has been more attention put into covering them up, than fixing them.

All they need to do is use encrypted network data, this will fix bots that either proxy or sniff/inject network data. From youtube the bots appear to sniff network data and inject keyboard input into the computers system. So encrypt the data, bot cant decypher network packets, better for us all. I have seen bots for other games use a simular method, sniff the network data and input key strokes/mouse actions into the system. Again encrypted network data would of killed any of those bots. If you do a unique server given key for each session makes it even harder to “hack”, and if client gives “garbage” back to the server you could have the server kick the client and maybe send a mod/dev alert if it keeps happening.

Fellow software engineer, didn’t expect that.

A lot of other MMOs do have this problem, but the problem has grown more and more severe as the market becomes mroe and mroe profitable. Where you find money, so too will you find corruption. GW2 is the latest MMO, and as a new game it was bound to have both bugs and players desperate for in-game superiority. It is a high profile target, not necessarily a flawed one.

I agree that the input validation needs work, but until you’ve been attacked, it is hard to know exactly how an adversary will attack you. All the analysis in the world isn’t proof. When you combine that with needing tolerance for production-level network activity (with network activity being measured in millions of simultaneous users), erring on the side of caution does not penalize legitimate players when things fall outside your thresholds. As you learn more about the real operating environment and the threats beign presented, you close the gaps.

I don’t believe in the infinite health and magic find hacks. These are a scam to get people to install keyloggers and/or backdoors. Remember, ANet is serious about acount security and stopped most of the account-targeted attacks already, so the scammers need a new set of tools to get them. I remember a friend, way back when, asking why a hack program wasn’t working. The answer was because it was actually a well-known trojan, not a hack program.

I find it hard to criticize lack of transparency when I’ve never worked for a company that was comfortable discussing potential vulnerabilities of live systems. The other side, discussing solutions, I see as an offshoot of the rapid iteration and ‘when it is done’ methodology. Why talk about something that might not pan out after being implemented?

Both ANet and the botters are ramping up.