Wednesday, August 22, 2012

CCP's War On Bots: Don't Get Cocky

"Great, kid.  Don't get cocky."
- Han Solo
Last Saturday’s CSM Town Hall meeting touched on many subjects important to the Eve community.  Unfortunately, in my opinion, security in general and the war on bots and the illicit ISK trade in particular was not one of them.  I can think of a lot of reasons that the CSM didn’t discuss security issues.  Perhaps CCP Sreegs is about to come out with a security blog giving everyone an update on events since the Spring Summit.  Maybe, unlike real world politicians, the CSM actually cares and understands about operational security and doesn’t want to give the bad guys any actionable intelligence.  Or perhaps the CSM looks at Team Security’s success so far and believes the War on Bots is essentially over and CCP won.

Browsing the botting forums I get the sense that the shock and awe of CCP Sreegs’ spring offensive has worn off as botters have figured out the behavioral parameters of Team Security’s detection algorithm.  Or maybe not.  Here are some recent forum posts.

5 August 12

LoPhatMelk (Eve Miner) - "Well that didn't take long... I've used this bot maybe a week to two weeks and already both accounts are banned. Pretty conservative use with safe boting practices, good thing I only paid for 1 month trial of this bot..."

markbt (Eve Miner) - "Also received today a ban, a new character, just two weeks. The bot worked 8 hours a day with three breaks ... Assets confiscated when a ban for macros? I had assets more than 15kkk ("

LoPhatMelk (Eve Miner) - "Yea I'm negative 220kk between my 2 accounts... which is BS because I know I didn't make that much when botting..."

10 August 12

Armadillo11 (Questor) - "Been banned on my 3 accounts for 14 days, only 1 was used for botting though.  Ran it for 12-23h (shouldn't have, i know..)."

15 August 12

Sollo (Eve Trader) - "This is about the 3rd time I've been banned. My first char was banned twice for macro use even though I use custom timers and delays. Custom log off times that i change daily with more than 10-12 hours of bot downtime. And I don't trade high volume items. Maybe items that sell 3 or 4 a day at the most on average. After the first char had been banned twice I created a new account new VM machine the works with even slower bot speed using all custom delays and timers and changing them daily. Lasted about a week before it received a ban."

Also, remember all the talk about how the mining ship changes that came out in Inferno 1.2 on 8 August were a boon to bots?  The changes caught at least one botter by surprise...

18-19 August 12

justaminer (Eve Miner) - "Wait, what? Did something happen that made Hulks worse than retrievers? I still mine using several clients in a fleet (all hulks, not using jetcans) and all hulks."

ComalDave (Eve Miner) - "Retrievers now have a large ore hold that takes 30 minutes to fill. Hulks have a small ore hold that takes 7 minutes to fill. The Retriever spends more time mining and less time travelling back and forth from the station. Mining vessels are no longer made out of tissue paper and tin foil so it is much safer to mine now."

justaminer (Eve Miner) - "How long has this been true for?"

meloncholy (Eve Miner) - "Almost 2 weeks ago."

I wonder how much money I would make if I could write a bot to read Eve patch notes for botters?  But the mining barge changes seem to be a big hit with the botting community.  Well, those that know about the changes anyway.

But while bot users are stumbling around making me laugh, bot developers are getting their acts together and fighting back.  With the use of VMWare flagging botters for attention, a new application, Red Guard, is becoming popular with some botters looking to protect their main account when CCP catches botting activity on other accounts.  Perhaps more importantly the bot devs have managed to obtain some of the code CCP is using to detect python injection.  One bot dev posted the code and suggested countermeasures on the Public Demands forums.  The post on the Public Demands led to this amusing exchange on the Questor forums:

9 August 12

Da_Teach (Questor dev) - "So far its only half-assed checks, but I'm sure that'll change."

aziz001 - "so for now better stop using Q or not? i know we are always in danger, but seems now we are more in danger than early?"

Da_Teach (Questor dev) - "Yes, you are all going to get banned, once your banned, CCP will call up your internet provider and get you disconnected and CCP will claim your first born baby."  

"Or, if your scared about getting banned, you shouldn't be botting in the first place..."

I wasn't aware that CCP Sreegs had changed the penalties for botting, but I often see the sentiment among botters that if you bot you will eventually get caught.  The other important piece of information from this exchange is that Team Security is now making efforts to go after bots using python injection and that one prominent bot developer expects that effort to become more sophisticated over time.

I think Team Security has finished picking the low-hanging fruit in the War on Bots™ and are now going after harder stuff.  The current efforts have generally suppressed bot use from 23 hours a day down to 8-10 with built-in breaks during that time.  Now CCP Sreegs' strategy appears to have moved onto detecting injection bots, a long time irritant to CCP.  Of course, that is harder to do and Team Security will suffer setbacks because bot developers will not just sit back and let CCP take their income stream from them.  But at least now we know the battle has commenced.

11 comments:

  1. I am pretty sure they are getting banned due to virtual machine usage. That seems to be the common denominator from a lot of your summaries that you've posted.

    ReplyDelete
  2. The "sentiment among botters that if you bot you will eventually get caught." worries me. It means that they know that they'll get banned but it still worth to them, assuming they can protect their main account. Simply the bot punishments are rather bot costs that one pays for profit. Botting won't stop until being caught = being utterly destroyed.

    ReplyDelete
    Replies
    1. Gevlon, shut the fuck up. You're a retard. Even when you say something correct, you're still wrong.

      Delete
    2. Ok, thats a bit out of line. Sure, he has said/done some silly things related to eve, but thats no reason for a character attack. He has a valid point about the changeing attitudes of botters.

      Delete
    3. You have no understanding of the issue. It will take a very long time for the actual coders and bot developers to quit. They aren't about botting in Eve, their game is about trying to beat CCP at THEIR game. It's about the challenge. It's about the attack, the defense, and the counter attack. All the rest of the posers looking for a free ride, wil eventually tire of squawking "is it done yet? Is it done yet??" and either start playing Eve, or move on to another game that is easier to macro. The coders spend more time and money trying to circumvent Eve's security measures than it would take them to actually play it, and pay for it, so obviously, thei efforts are about something other than botting. Those individuals, will be the last ones to give up.

      Delete
  3. nice writeup.

    would be curious to see if the increase in bans of bots has any impact on economy yet?
    Alas, with CCP holding numbers close to the chest I doubt we'll ever know :(

    ReplyDelete
    Replies
    1. Its possible that the bot bans are offsetting the expected mineral price decline from the updated barges being so hard to gank. It is anecdotal, but I am hearing about and seeing a ton more miners in .05 systems lately.

      Delete
    2. Isotopes dropped like a rock.

      Delete
  4. em... close to what chest? the see through one on the blog? The literally posted graphs of the economy with the bot ban dates marked.

    ReplyDelete
  5. Thanks for the update! It's truly fascinating stuff to ponder.

    As for your comment about CCP taking the low hanging fruit, there is another interpretation: CCP reduced the noise to signal ratio. By getting rid of the easy stuff, it makes more clear how the hard stuff is working. That's difficult to ascertain when you are sifting through reams and reams of "intelligence." Now with the easy stuff gone, what is left is bullion rather than gold dust if you follow the metaphor.

    ReplyDelete
  6. I do not call this a success. These people are a few private botters, which do not cause any harm to the economy. The true damage is done by the large bot-networks using the ISK to RMT or finance empires such as SOLAR.
    They stay under cover, even though EVERYONE in EVE knows what they are doing.

    ReplyDelete