CCP's War On Bots: Don't Get Cocky

"Great, kid.  Don't get cocky."
- Han Solo

Last Saturday’s CSM Town Hall meeting touched on many subjects important to the Eve community.  Unfortunately, in my opinion, security in general and the war on bots and the illicit ISK trade in particular was not one of them.  I can think of a lot of reasons that the CSM didn’t discuss security issues.  Perhaps CCP Sreegs is about to come out with a security blog giving everyone an update on events since the Spring Summit.  Maybe, unlike real world politicians, the CSM actually cares and understands about operational security and doesn’t want to give the bad guys any actionable intelligence.  Or perhaps the CSM looks at Team Security’s success so far and believes the War on Bots is essentially over and CCP won.

Browsing the botting forums I get the sense that the shock and awe of CCP Sreegs’ spring offensive has worn off as botters have figured out the behavioral parameters of Team Security’s detection algorithm.  Or maybe not.  Here are some recent forum posts.

5 August 12

LoPhatMelk (Eve Miner) - "Well that didn't take long... I've used this bot maybe a week to two weeks and already both accounts are banned. Pretty conservative use with safe boting practices, good thing I only paid for 1 month trial of this bot..."

markbt (Eve Miner) - "Also received today a ban, a new character, just two weeks. The bot worked 8 hours a day with three breaks ... Assets confiscated when a ban for macros? I had assets more than 15kkk ("

LoPhatMelk (Eve Miner) - "Yea I'm negative 220kk between my 2 accounts... which is BS because I know I didn't make that much when botting..."

10 August 12

Armadillo11 (Questor) - "Been banned on my 3 accounts for 14 days, only 1 was used for botting though.  Ran it for 12-23h (shouldn't have, i know..)."

15 August 12

Sollo (Eve Trader) - "This is about the 3rd time I've been banned. My first char was banned twice for macro use even though I use custom timers and delays. Custom log off times that i change daily with more than 10-12 hours of bot downtime. And I don't trade high volume items. Maybe items that sell 3 or 4 a day at the most on average. After the first char had been banned twice I created a new account new VM machine the works with even slower bot speed using all custom delays and timers and changing them daily. Lasted about a week before it received a ban."

Also, remember all the talk about how the mining ship changes that came out in Inferno 1.2 on 8 August were a boon to bots?  The changes caught at least one botter by surprise...

18-19 August 12

justaminer (Eve Miner) - "Wait, what? Did something happen that made Hulks worse than retrievers? I still mine using several clients in a fleet (all hulks, not using jetcans) and all hulks."

ComalDave (Eve Miner) - "Retrievers now have a large ore hold that takes 30 minutes to fill. Hulks have a small ore hold that takes 7 minutes to fill. The Retriever spends more time mining and less time travelling back and forth from the station. Mining vessels are no longer made out of tissue paper and tin foil so it is much safer to mine now."

justaminer (Eve Miner) - "How long has this been true for?"

meloncholy (Eve Miner) - "Almost 2 weeks ago."

I wonder how much money I would make if I could write a bot to read Eve patch notes for botters?  But the mining barge changes seem to be a big hit with the botting community.  Well, those that know about the changes anyway.

But while bot users are stumbling around making me laugh, bot developers are getting their acts together and fighting back.  With the use of VMWare flagging botters for attention, a new application, Red Guard, is becoming popular with some botters looking to protect their main account when CCP catches botting activity on other accounts.  Perhaps more importantly the bot devs have managed to obtain some of the code CCP is using to detect python injection.  One bot dev posted the code and suggested countermeasures on the Public Demands forums.  The post on the Public Demands led to this amusing exchange on the Questor forums:

9 August 12

Da_Teach (Questor dev) - "So far its only half-assed checks, but I'm sure that'll change."

aziz001 - "so for now better stop using Q or not? i know we are always in danger, but seems now we are more in danger than early?"

Da_Teach (Questor dev) - "Yes, you are all going to get banned, once your banned, CCP will call up your internet provider and get you disconnected and CCP will claim your first born baby."  

"Or, if your scared about getting banned, you shouldn't be botting in the first place..."

I wasn't aware that CCP Sreegs had changed the penalties for botting, but I often see the sentiment among botters that if you bot you will eventually get caught.  The other important piece of information from this exchange is that Team Security is now making efforts to go after bots using python injection and that one prominent bot developer expects that effort to become more sophisticated over time.

I think Team Security has finished picking the low-hanging fruit in the War on Bots™ and are now going after harder stuff.  The current efforts have generally suppressed bot use from 23 hours a day down to 8-10 with built-in breaks during that time.  Now CCP Sreegs' strategy appears to have moved onto detecting injection bots, a long time irritant to CCP.  Of course, that is harder to do and Team Security will suffer setbacks because bot developers will not just sit back and let CCP take their income stream from them.  But at least now we know the battle has commenced.