For the best experience use full HD.

Monday, June 3, 2013

It's Never Just About the Lulz

Tranquility is back online. The Internet gank perpetrated by LulzSec (EDIT: or whoever, I used LulzSec because they've done it before though they are currently status unknown - however a whole book could be written on that assumption)  has been stopped. Entertainment at our expense is over. But was it ever about just entertainment?

I've been an IT professional for two decades, since my first career crashed and exploded. Over time I have earned many security credentials. As all good white-hats do, I've delved into the dark side of my profession. As Sun Tzu admonishes,
"If you know the enemy and know yourself you need not fear the results of a hundred battles."
What I have learned is that such attacks are never done simply for lulz. Lulz are not enough. To make such an effort requires a real pay off. But it does not surprise me that (EDIT: groups like) LulzSec (EDIT: that last for those who can't read between the lines) would want us to believe otherwise. Sun Tzu also states,
"All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near."
These folks are smart; in some ways probably smarter than I am - or at least more devious. I am sure they too understand the Art of War. So I also found as no surprise this paragraph in CCP's official statement on the DDoS attack.
"What we can now confirm is that a person was able to utilize a vulnerability in one of the back-end services that support the operation of the Tranquility server."
So the point of the DDoS was to cover the attempted hack of a zero-day vulnerability in the CCP back-end. That's confirmation in this business that it never was about just lulz, though I'm certain a few were had by someone. But I have a more important question burning in the back of my brain. Why the attempted hack in the first place? That's a helluva escalation. Escalation of what you ask? The war on bots is what.

My experience with black-hats tells me it always boils down to money. When it comes to online gaming, the illicit money is in RMT. The people who write the bots that gather the ISK know enough to wear black-hats if they so wished. Did they wish to at this time? I can't help but think this might be an indication of some desperation in that camp. If true, it's a brazen escalation of the current war on bots. Still, it was inevitable I believe.

The new login system can only have one purpose to my professional eye. It's yet another weapon in the anti-bot arsenal. If it's now more difficult to login as a thinking human, you better believe it's even more difficult to automate. I see the new launcher as a successful means to that end. By separating the login from the client, it requires two dissimilar sets of code to manipulate. It is in effect, two-step authentication. You must log in and you must have a valid client. Client checking is now done at stage one, the login. We already know CCP has ways of detecting an altered client. Before the client even starts, it must be valid. There is no hacking the client to intercept the result and alter it. Open DNS error returns on launcher failures lead me to believe (it's a job thing) any attempted manipulation of the new launcher would be far more detectable than the older client. It's double jeopardy. Touché CCP.

I can easily believe the bot masters would do just about anything to access the code for this system. If I were them, I'd want to know exactly how it worked - or have a way around it. Is that what happened here, an attempted end run? I'm sure there are those who really know but I am only making conjecture. Still, it's what I would do if I wore a different color hat. I think skirmish one goes to CCP. But make no mistake, this was only one battle. The war is far from over.

Fly Careful


  1. At one point while it was happening the Launcher's password text box and some text nearby was in Russian, the rest of the launcher was still in English

    1. My feeling is that was probably shaky error handling code in the launcher itself. It really is still a work in progress. Of course, I didn't actually translate the words to see if they were equivalent to the English I normally see or something more onerous.

  2. I wouldn't be surprised if you were on to something. I do know that some bots are having issues with the launcher, but they are using the same workaround that regular players are: launch from the exe file itself. That still works.

    It doesn't necessarily have to be an established RMT shop. You may have heard of a Chinese hacking group dubbed Winnti by the cyber-security firm Kaspersky. Apparently they recently did a number on Trion & Nexon, among others. I wouldn't be surprised if it was these guys.

    I do have to admit that when I first heard the news of the DDoS the first thing I thought is, "who did Stillman and Peligro nab now?"

    1. I hadn't considered Winnti. Then again, the Chinese hacking community often violates the "follow the money" rule. But to be honest, I am reluctant to start pointing fingers. That's why I used the outdated LulzSec name as the "insert suspicious hacking group here" place holder. I just didn't make that apparent enough from a couple of unpublished comments I got. I know just enough about some of these groups to know I don't want them mad at me - period. The Mafia only kills you if you cross them if you follow my drift. Fortunately I don't have a multi-million dollar gaming company to defend.

  3. I suspect you may be right and may have been more of a protest than an actual 'attack' as an 'attack' would need to have a purpose and I'm sure anyone running a DDOS attack knows that its only going to affect things for a short while before the loop hole is fixed and things go back to normal.

    I believe that some of the changes to ore (ie low & null being much better now), tags4sec in belts (to increase player visits) and ice going into exploration sites that need to be scanned are all attempts to make life much harder for bots as they would either need to be re-written to cope with the new mechanisms or simply be more under threat that before due to the increased interest in ore belts (due to tags & better yields) and therefore more likely to pop simple mining bots.

  4. You see, my theory was that it was the Minmatar militia hacking to stop the Amarrian steam roller from taking all of their systems.

    But now, with my tin foil hat firmly on my head: Amarr started winning when the new launcher, well, launched. Kind of wish I had kept better track of the dates. Maybe the common jokeof LP bot farmers wasn't quite so far fetched?

    Amarr are still outnumbered, according to the stats page. Just wondered how many Minni players are actually logging in these days?

    Note: Not to say the Minmatar militia is bad at PvP. As a crusade pilot, I can only count my kill list as 'nearly one', so I'm in no position to assess skill. And, well, *adjusts tin foil sombrero* don't take anything I say too seriously...

    And the captch just came up 'rtheyalt'. Spooky.


Be civil, be responsible and most of all be kind. I will not tolerate poor form. There will be no James Hooks here. We are all better than that.