GameCyte

The gaming web as a whole (but Dream Not Of Today in particular) is reporting that that the Python-based source code for the spacefaring persistent-world MMO EVE Online has been leaked via BitTorrent. CCP has released statements attesting to continued security, but parts of the MMO community beg to differ.

If you venture over to that bastion of completely legal nefarious activity The Pirate Bay, you’ll find a link to the torrent (boasting over 230 seeders as of 10:50AM PST) and what is reportedly a full chat conversation where the torrent creator, “Abuser,” rails against a CCP rep by the handle of [IA]Morpheus, apparently to obtain a list of game vulnerabilities and official CCP promises to fix them.

While there’s no mention of how Abuser obtained the code, it appears the leak was intended to provoke CCP into taking action. And it appears they have — just not the action Abuser was looking for. Now, commenters at The Pirate Bay and Slashdot are reporting that those who seed, or even download the source code are having their IPs banned from EVE indiscriminately, and rumors abound that posts on the official EVE Online forums related to the leak are being deleted as well.

CCP’s Ryan Dansey denies any vulnerability; responding to Slashdot comments, he says the code “is not a security risk to CCP in any way.”

CCP does not believe in security by obscurity. The Python scripting language that is used by the client can be easily decompiled to generate human-readable code, and CCP has designed its server-side systems with that understanding. Access to the source code for the EVE client exposes no security vulnerabilities, has no privacy protection issues, and poses no threat to our customers’ billing information. The server-side interface used by the client is carefully protected to ensure that no abusive or unwanted information is transmitted to, or from the EVE system.

Nothing the EVE client can do can affect the game state, no advantage can be gained by manipulating the EVE client, no advantageous or disadvantageous information can be transmitted to other EVE users by altering the EVE client. The EVE client is signed with a security certificate registered to CCP, and hashes are available on our web site for those who wish to ensure the integrity of EVE client download files they may have received from a source other than direct download from CCP’s web site.

But if that’s the case, why is CCP quashing this leak so thoroughly? According to Slashdot user rsmith-mac, availability of the source code could trigger a variety of unwanted gameplay repercussions that have nothing to do with the servers.

• 1) Since the client logic is in Python, introducing new logic is a matter of injecting new Python code in to the game. It turns out this is very easy to do right now, there are several ways, including using the telnet server the client runs so that CCP can upload code to the client computer when it connects
• 2) The big concern is bots, EVE can be botted and this is a problem like any MMO
• 3) The other big concern is that the EVE client knows far more than it shows, a problem for a PvP game. It is possible to hack the client to the point where it will tell you exactly who and what entered a system you are in, and where they are at at all times.
• 4) It’s also possible to disable the client’s “anti-addiction” code required to meet China’s MMO laws. Apparently the server isn’t actually booting players, it’s telling the client to disconnect. The Chinese government is going to love that one
• 5) Finally, the game has a custom made built-in web browser (the In Game Browser) that’s extremely cruddy and isn’t used very much. It’s also so cruddy that it’s holier than the Pope himself; it’s possible to craft links to induce it to execute external applications and web browsers. Basically with a little social engineering you can be trick people in to letting you compromise their machine.

CCP’s official statement at the EVE Insider forums (EVE players only, sorry) mirrors Dansey’s earlier denial of potential for harm, but adds that “there have been no mass bannings.” If true, the reason that there haven’t been mass bannings must be because the masses have fallen prey to a chilling effect, as EVE Community Manager CCP Wrangler is on record saying that “Anyone found distributing or discussing decompiled client code will face an in game ban.”

We’re currently pursuing the validity of client-side vulnerabilities, so watch this space for an updated report. If any of you fine readers happen to be Python programmers, we’d love to hear your thoughts in the comment section below.