Broken Toys

..in the hands of the enemy.

Unfortunately, the alluded Laws’ homepage has been taken over by domain squatters. C’est la guerre…

Am I the only one that became interested in this only after they heard CCP was banning people? There must be something exciting in the source!

I hear the player politicians are going to stage a coo. Yes, I have no clue how to spell coo.

Goedel, I doubt it’s anything exciting. It’s more a half baked honeypot in my conspiratorial eyes.

“Who’d download our source code? Hackers, the competition, people looking for exploits… what do those people have in common? Why they’re people we don’t want playing our game of course! Let’s leach a ‘copy’ of the source code to the net and see who downloads it…”

…what?

It’s what I’d do if I was an evil MMOverlord. Of course the thing you’d download wouldn’t be Eve sourcecode, but a program designed to make your computer open Timecube in your default browser (and Internet Explorer) three times a second. Oh and you’d be banned too. For kicks.

With any luck though, it’s just a stupid mistake that at best will mean people customise the client to thier liking without generating anything exploitative, ushering a new age of experession and playstyles in Eve. Assuming they’re not, y’know, banned from it first…

[quote]Unfortunately, the alluded Laws’ homepage has been taken over by domain squatters.[/quote] Or he just didn’t pay his bill. Which is it?

You mean this page?

http://www.raphkoster.com/gaming/laws.shtml

Interesting. Searching google for “koster laws” (no quotes) gives that link as the first result, and yet clicking it brings up (for me) a domain squatting search page. Clicking that link from here brings up your site.

I can’t see anything in the google results HTML that would make that so; fooling around with referers (sic) via HTTP directly leads to enlightenment:

$ dig +short http://www.raphkoster.com
raphkoster.com.
69.89.31.158

$ nc http://www.raphkoster.com 80
GET /gaming/laws.shtml HTTP/1.1
Host: http://www.raphkoster.com
Referer: http://www.google.com/search?hl=en&client=safari&rls=en-us&q=koster+laws&btnG=Search

HTTP/1.1 302 Found
Date: Tue, 15 Apr 2008 03:41:23 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Location: http://www.ezwebdirectory.net/search.php?q=koster+laws
Content-Length: 418
Content-Type: text/html; charset=iso-8859-1

…page snipped…

You might have a chat with your hosting provider about redirects, pronto.

It’s ‘coup’. Or coup de tat, if you want to be formal.

Ahh, Eve – all PvP, all the time. Even when you aren’t playing.

Seeding a bogus torrent and then banning the downloader IPs is basically entrapment, no?

http://en.wikipedia.org/wiki/Entrapment

Frankly CCP seems to be competing with SOE for the “Douchebag EVIL company” awards.

The redirects should be fixed.

And this hack is getting very annoying… seems to be rather hard to expunge it. I’ve posted some of the steps I have had to take thus far on the blog, in case anyone else is affected.

Or “coup d’état”, if you want to be both formal and correct

CCP pushing TOS/EULA to the limit, it might end up getting tested in courts and thrown out for the entire industry.

After all they are banning for out-of-game activity by using out-of-game detection methods without even establishing game-related uses. As a result they will have to use ‘because we can’ clause opening for damages counter-claim. I am not a lawyer, but this sounds like Bad Idea all around.

It’s possible they are seeding rumors that they are banning downloaders to try to curb the downloads. That said it seems like it would be pretty easy to go through a proxy or download it from a third party.

Scott,

From what I’ve read, all of the code written by ccp is python. There are some external libraries written in C, but the interface to those is wrapped in python. In addition, a couple pretty bad exploits have already come up due to shellexec calls in the python code.

Let’s just say don’t click on any links in the game.

Seeding a bogus torrent and then banning the downloader IPs is basically entrapment, no?

In the technical sense, yes; in the legal sense, not really. That is, I doubt very much that anyone who was banned for downloading could get their account back by protesting that they were entrapped.

“Entrapment” is a legal defense for a criminal charge. It is only something that the government can’t do — a private company is free to bait people into downloading a torrent and then ban then them for it.

a private company is free to bait people into downloading a torrent and then ban then them for it.

I’m not a lawyer, but is the RIAA allowed to seed MP3 torrents on Piratebay and then sue the downloaders? If that is permissible, then the law is an ass.

IMHO, seeding a torrent is implied endorsement of the said torrent – IMHO of course, with no legal foundation on my part.

<blockquote.I’m not a lawyer, but is the RIAA allowed to seed MP3 torrents on Piratebay and then sue the downloaders? If that is permissible, then the law is an ass.

Benjamin Duranske is a lawyer so I guess he knows what he’s talking about here. It’s really no different I guess, it’s not like you weren’t doing something wrong by illegally downloading stuff.

CCP issued an official statement about the sourcecode sometime yesterday. Since you have to be logged in with your eve-account to read the whole thing, I’ll repost it here.

**EVE CLIENT SOURCE CODE
reported by CCP Wrangler | 2008.04.15 17:09:53 | NEW
We are aware that an individual claims to have access to the source code of the EVE client, but this access is not a security risk to CCP or our customers in any way. The Python scripting language that is used by the client can be easily decompiled to generate readable code, and we have designed our server-side systems with that understanding. Therefore, there is no reason to believe that the code was leaked by an employee and our internal investigations confirm that.
Access to the source code for the EVE client exposes no security vulnerabilities, has no privacy protection issues, and poses no threat to our customers billing information. The server-side interface used by the client is carefully protected to ensure that no abusive or unwanted information is transmitted to or from the EVE system.

Nothing the EVE client can do can affect the game state, a manipulated EVE client cannot affect the server, no advantageous or disadvantageous information can be transmitted to other EVE users by altering the EVE client. The EVE client is signed with a security certificate registered to CCP. Hashes are available on our web site for those who wish to ensure the integrity of EVE client download files they may have received from a source other than direct download from CCP’s web site.

Finally, there have been no mass bannings, as reported in some news articles, though we do remove all message board posts regarding violations of our EULA and Terms of Service as per standard policy and procedures. We consider any alterations of the client software, including decompilation, or discussions thereof, to represent such a violation.**

@Benjamin Duranske

But then a private company can ban for anything it wants, says so right in the EULA. My question is (and I’m actually asking) is can a company bring civil or criminal proceedings against someone given the above scenario of seeding a torrent for the expressed purpose of catching downloaders of said torrent?

@Makaze
I think any answer to that question is speculation. I don’t believe there has been a ruling.

@Makaze – oddly, the Eve TOS and EULA documents are among the very few user agreement packages that actually don’t say that the company can ban users for any reason or no reason at all, at least not that I could find.

http://www.eve-online.com/pnp/terms.asp
http://www.eve-online.com/pnp/eula.asp

That doesn’t mean much though, they still can — just like any private company can refuse service to (basically) anyone they want to, for (basically) any reason at all.

Re: your question, the criminal proceedings part is tricky, because companies can’t really bring criminal proceedings, they can just complain to law enforcement about something. And law enforcement, typically, isn’t all that excited about cases with what amounts to manufactured evidence. There’s no easy answer though — it isn’t illegal for a company to run a “sting” operation like that, and if they got a really zealous prosecutor on it, you never know. I haven’t heard of even the RIAA getting anyone brought up on criminal charges though — there’s a point where even the stupidest company realizes it’s going to anger too many potential customers, I suspect.

In terms of a civil suit, I don’t really see why they couldn’t, though like “harl” says above, there definitely hasn’t been a case directly on point re: torrents (also, aren’t all of the suits directed against torrent seeders/hosts, not downloaders?) But there just isn’t any prohibition against “civil entrapment” that I can find. I suppose it’d no different than a woman hiring an attractive female investigator to get her cheatin’ hubby on the record hitting on a stranger, and then using the information in a divorce proceeding — which, at least in states where fidelity can play into the division of assets or custody — happens periodically. Like here with this charming company, that appears to base its entire business on the practice — http://www.matecheckpi.com/ .

That press release seems to be blatantly lying in one sense. The code does reveal the in game browser is a huge security hole for the clients. The code can’t be used to mess with the server or make an enhanced client, but it’s also not as pristine a situation as they’re saying.

Banning accounts by download IPs? That has the be the most ineffective enforcement mechanism I’ve heard of in years. Jesus I’ve got three open Wifi connections leaking into my house from my neighbors. I’m sure the 50 year car salesman next door is going to be pissed when he finds out the wonders of EVE are now closed to him.

@Benjamin Duranske

Thanks. That’s pretty much what I assumed on the criminal side and what I was afraid of on the civil side. I didn’t really expect there to be a specific torrent example but I’m surprised that the over arching concept of civil entrapment doesn’t have a specific precedent yet.

I do not think they banned people according to the client addresses leeching the bogus torrent. I presume the tech staff at CCP knows very well that IP addresses are assigned to most DSL users dynamically, so the entire plot ist utterly pointless. Which leads me to the conclusion that the statement of banning users according to their IP addresses has been fetched out of thin air.

Nonsense.

Explanation: at least in germany (and most likely in most other countries) a DSL router is being dynamically assigned a public IP address once it connects. The actual address comes from a pool of IP addresses available to the provider. Every 24 hours the line gets disconnected only to be immediately reconnected by the user’s router. It then is being assigned a different IP address from the pool mentioned above. Some users prefer to have a static IP address assigned, but that costs extra and so not much of these accounts are around. And it isn’t difficult at all to get oneself assigned a new – different – IP address.

@DeltaTango – Providers keep records of the IP addresses assigned to accounts at specific times, and a subpoena can (and has, see the Eros v. John Doe case) dislodged identities associated with IP addresses.

That said, what EVE is probably doing (since it hasn’t had time to run through the legal proceedings, which involve filing a lawsuit first, and still take months) is match up IPs at login with IPs at download. If there’s a match, there’s a pretty high liklihood that it’s the guy, and if not, so what? The odds on the guy who had the address a few minutes ago also being an EVE player are so low that they just take the chance.

@Benjamin: while you might be right from a legal point, i still don’t think this is viable. First — as you’ve already pointed out — it takes a lot of time and effort. Second: this applies mainly to US laws. IANAL and I do not know which countries have similar laws.

And I don’t think you get a subpoena only to ban someone from your game (correct me, if I’m wrong, I do not know much about US laws). I very much presume you have to try to sue them for — maybe — copyright infringement or for unlawfully decompiling stuff (would that fall under DMCA?). And there wasn’t any mentioning of sueing people.

Anyway, we will see what happens. I bet nothing at all, as there might be no real potential for exploits with the decompiled client. I very much suspect EVE would already be an exploiters paradise for years if there was considerable potential for misuse, because it is hardly imaginable that this hype is the first time that the idea of looking under the hood of the EVE client occured to some evildoer.

@DeltaTango – you are absolutely right about that, you can only get a subpoena (which has to be signed by a judge) in an active lawsuit. My point is only that ISPs do keep these records, so it’d be theoretically possible.

That’s not what EVE is doing here though. If they’re really doing it at all, they’re just matching download IP addresses with user IP addresses (which they have) and that is definitely a bit chancy. Like you said, we’ll see. It’ll be interesting to see how this plays out.

More to the point I live in the US and my IP address changes about two or three times a year, so it’s not totally unreasonable to ban the IP addresses you find in some cases. Not to say that it isn’t totally unreasonable in the other sense though.

To expound upon this, and since we’re talking about torrents, there was an old private tracker I was a member of that had a rule that you were locked into your IP for six months and were only allotted 3 IPs at once. No one complained about this rule, so I must assume it was a non-factor for most people. Given I believe most of us were American or Canadian.

IP banning can be perfectly matched to accounts, other than multiple machines hiding behind a router/NAT. Dynamic doesn’t matter if the logs say that at the same time I’m sending a file to you, you are also logged into my server.

@delta tango : i can’t find the link right now, but didn’t “c’t” (”serious” it-mag for the german-speaking world) report approx. a year ago that just that (first seed, then sue) has already been done by exponents of the german copyright protection … ehm … industry?

@Benjamin

That doesn’t mean much though, they still can — just like any private company can refuse service to (basically) anyone they want to, for (basically) any reason at all

Thanks for offering your experience and understanding to us.

At least in the U.S., I think what you mean by “basically” is that there are some exceptions. I am under the impression that I can’t refuse to sell cigarettes to women or African-Americans at my convenience store, for example. IANAL, so I could be totally wrong. But is this set of exceptions a problem for MMO companies who want to apply very broad and (sometimes) arbitrary rules to who gets to play their game?

@ Axecleaver – Yeah, there are some exceptions (hence, “basically”) and they usually involve protected classes like race, gender, etc. I’m not a constitutional expert, but if memory serves, the key is the extent to which the private action (e.g. your c-store selling cigarettes only to white men) is tied up with government action — because the Constitution prohibits the government from discriminating on a variety of protected grounds. If I remember right (and this has been a while) courts have been pretty good at ferreting out reasons to say that private companies can’t discriminate, but a few things have remained untouchable (e.g. golf courses that still don’t let women play).

That all said, “people who are stealing intellectual property” isn’t a protected class anyway, so Eve can do whatever it wants to, to the degree the market tolerates it.