test content
Logo
What is the Arc Client?
Install Arc
Options
Zero Day Exploits and MMOs
iconians
Member Posts: 6,987 Arc User
Disclaimer: Before I get started, I would first like to make it clear that I am in no way advocating, implying, or suggesting using exploits in STO, that there are Zero Day exploits in STO, that this applies specifically to STO, or that I or anyone that I know currently use Zero Day exploits in STO or any other video game I patron.
Furthermore, I would like to remind posters that the discussion of exploits within STO itself is against the forum Terms of Service. If someone knows of any exploit in STO, it should be reported accordingly. Do not mention them here.
This is only to gather opinions from people who play STO or other video games, who (depending on the length of time they've played the game) might have some idea of what I am asking.
First, I am sure at least some of you are asking, "What is a Zero Day exploit, and why should I care?"
A Zero Day exploit is a software exploit that is not publically known, even to its own creators. Some of these exploits are discovered by regular people, sent to their creators, and that is the end of the line. They get fixed.
Sometimes they are not. Sometimes these Zero Day exploits are kept private, known only to the discoverers, and not shared in order to gain a benefit from their find. Sometimes these exploits are put on sale on the black market for hundreds of thousands of dollars (depending on what the exploit is, for which program, and for the kind of benefit that might be gained).
The Stuxnet virus was specifically designed with no less than three Zero Day exploits, which remained in effect until Antivirus engineers began picking it apart. The fact it had these exploits in it is partially why it became so infamous as the world's first 'cyberweapon'.
But that is beyond video games, and while hundreds of thousands of dollars may be spent on that kind of thing illicitly, it does make one wonder about MMOs and the inherent social nature to them, including being able to stay a few steps ahead of the developers in gaining benefit from exploits they do not yet know of, or are actively working on fixing.
A thread in the General forums briefly touched on similar scenarios with STO itself, where information concerning the game is kept private as to minimize the risk of the STO developers knowing about it, for fear of it being fixed, removed or nerfed.
Which leads me to this question. Depending on the MMO, what kind of price would someone pay to acquire a Zero Day exploit? I know we have often talked about the "whales" in MMOs who buy everything they can whether they need it or not, but I am also willing to guess these "whales" would have the disposable income to purchase an advantage over their fellow players.
A different type of "Pay 2 Win", if you will. Where the product is not sold by the developer or
publisher in question, but by the players themselves who work in the shadows away from the prying eyes of those who might fix it, were it to be discovered.
But perhaps they would not. Perhaps the developer itself would pay to know about it, so it can be fixed. A type of extortion. Sure, the player in question might be banned, but if money was at stake, depending on the amount... it might be worth it.
Or perhaps a justice-minded 'whale' would actually purchase it only to immediately turn it back over to the develoeprs in question, receiving no benefit from it at all and maintaining an ethical integrity.
Disposable incomes, the desire to maintain a 'secret' advantage over others, big or small, and the ability to hide it from others. I don't believe it would ever reach hundreds of thousands of dollars like the Zero Day exploits in Stuxnet may have received.
What do people think is the upper limit to these types of deals? At what point would someone have to take a step back and say, "There is no way I would do this or give that for that kind of advantage the developers don't even know about."? Would most of these people inform the developer of it in order to gain favor with them, hoping their discovery will lead to a similar 'unique' prize only for them? Would developers offer 'bounties' in the form of their premium currencies for Zero Day exploits?
Furthermore, I would like to remind posters that the discussion of exploits within STO itself is against the forum Terms of Service. If someone knows of any exploit in STO, it should be reported accordingly. Do not mention them here.
This is only to gather opinions from people who play STO or other video games, who (depending on the length of time they've played the game) might have some idea of what I am asking.
First, I am sure at least some of you are asking, "What is a Zero Day exploit, and why should I care?"
A Zero Day exploit is a software exploit that is not publically known, even to its own creators. Some of these exploits are discovered by regular people, sent to their creators, and that is the end of the line. They get fixed.
Sometimes they are not. Sometimes these Zero Day exploits are kept private, known only to the discoverers, and not shared in order to gain a benefit from their find. Sometimes these exploits are put on sale on the black market for hundreds of thousands of dollars (depending on what the exploit is, for which program, and for the kind of benefit that might be gained).
The Stuxnet virus was specifically designed with no less than three Zero Day exploits, which remained in effect until Antivirus engineers began picking it apart. The fact it had these exploits in it is partially why it became so infamous as the world's first 'cyberweapon'.
But that is beyond video games, and while hundreds of thousands of dollars may be spent on that kind of thing illicitly, it does make one wonder about MMOs and the inherent social nature to them, including being able to stay a few steps ahead of the developers in gaining benefit from exploits they do not yet know of, or are actively working on fixing.
A thread in the General forums briefly touched on similar scenarios with STO itself, where information concerning the game is kept private as to minimize the risk of the STO developers knowing about it, for fear of it being fixed, removed or nerfed.
Which leads me to this question. Depending on the MMO, what kind of price would someone pay to acquire a Zero Day exploit? I know we have often talked about the "whales" in MMOs who buy everything they can whether they need it or not, but I am also willing to guess these "whales" would have the disposable income to purchase an advantage over their fellow players.
A different type of "Pay 2 Win", if you will. Where the product is not sold by the developer or
publisher in question, but by the players themselves who work in the shadows away from the prying eyes of those who might fix it, were it to be discovered.
But perhaps they would not. Perhaps the developer itself would pay to know about it, so it can be fixed. A type of extortion. Sure, the player in question might be banned, but if money was at stake, depending on the amount... it might be worth it.
Or perhaps a justice-minded 'whale' would actually purchase it only to immediately turn it back over to the develoeprs in question, receiving no benefit from it at all and maintaining an ethical integrity.
Disposable incomes, the desire to maintain a 'secret' advantage over others, big or small, and the ability to hide it from others. I don't believe it would ever reach hundreds of thousands of dollars like the Zero Day exploits in Stuxnet may have received.
What do people think is the upper limit to these types of deals? At what point would someone have to take a step back and say, "There is no way I would do this or give that for that kind of advantage the developers don't even know about."? Would most of these people inform the developer of it in order to gain favor with them, hoping their discovery will lead to a similar 'unique' prize only for them? Would developers offer 'bounties' in the form of their premium currencies for Zero Day exploits?
Post edited by Unknown User on
0
Comments
Today most MMOs have metric gatherers built into the code. That means no matter how secret you keep the exploit, even if the developers themselves do not know the exploit, they will know you are gaining XY or Z much faster than anyone else. From there immediate action is likely to be taken by any competent developer. Although I must admit that depending upon how big the impact is to the game overall and the difficulty in discovering/solving the exploit it might just end with bans. Followed by public release of the exploit. Followed by an actual solution.
As for paying for it, I really think the black market for F2P MMOs is pretty much dead provided the developers have reasonable prices. It's one of the few bright spots of the entire F2P model, the massive reduction in the black market.
For me personally I report any exploit I find. Although I am getting a bit tired of reporting old exploits that were fixed and somehow manage to return...
I suppose a metric gathering tool in the code itself is only as good as the person who coded it, and oversights can easily be made. I think it is one of the lucrative things about "Zero Day Exploits", as even their own metrics either can not detect it as being out of the ordinary, or simply were never built to gather specific types of information from the players to begin with.
An exploit would not necessarily need to have a game-breaking advantage. Simply an advantage enough as to make it appear everything is legitimate and working as intended, but still noticable to the player in question.
I like to think of myself as a decent person. As I am sure most people do. Presented with the ability to discover and successfully use a Zero Day Exploit within STO, I would like very much to be able to say I would immediately alert the Devs and continue to do so until I received positive confirmation they heard me and addressed the problem correctly.
To do so would be lying. Knowing myself far too well, I'd probably try it out a couple of times. Not with any sort of malice. Or as a way to massively improve my standing within this game. Rather as a way to see just how far it might go and where it did not work. My curiosity would win out. And I would use it. Then, I would rationalize my use by telling myself I wanted to be sure it was Something Very Bad before I alerted the Devs.
Next, I would begin to wonder what exactly pwe/cryptic would offer in return for this information. In short how much is it worth? And if the use of this exploit earns more than turning it in does, I might wait a while longer. By this time, I probably haven't used it much. About three or four times. Just to get that ship which was always out of reach before which I really wanted. To crew it the way I've always wanted to crew such a ship. To give it a loadout which would be the envy and despair of even the most ruthlessly diehard of PvP players. Whereupon I would promptly get blown out of the stars every time I foolishly wandered into Ker'rat. Because I am not a good enough Captain to command such a ship, lol. Well, not yet anyways.
So no, I guess I am not "good people" after all. Which is not all that surprising, really. And I guess I would keep such knowledge to myself. To be used again whenever an emergency arises. My definition of the word 'emergency' in this case would probably be very very loose. Such as someone in my Fleet wanting JHAS hangars for their JHDC and not being able to afford them just this second.
EDIT:
And when someone asks me why I went so wrong, I could look at them with an absolutely straight face and say,
"It was Iconians."
Anyone who is a regular reader of the forums knows what I'm talking about. They're discussed all the time seeming to never last more than a few months. Of course, that's only what I see from the forums, and perhaps there are some individuals who are aware of a ZDE and haven't shared it but with the relative fast pace of changing meta it's doubtful that any would be effective for very long imho.
Of course you're not talking about STO but the concept in general. Meh, why cheat in a game? It's kinda like vices and virtues. If you can't be trusted on the small issues then God help you with the big ones. I'm not trying to sound holier than thou, and if I am I apologize. I'm full of imperfections and mistakes. But no thanks, please don't tempt me.
Should I report these bugs? I used to test new stuff on Tribble, but bugs I found and reported there were never fixed before whatever update went live. So I figured that Tribble install was wasting drive space and deleted it. I'm not being incentivized to beta test STO.
You raise an interesting point. The ethics of Zero Days used for personal benefit as opposed to working with Cryptic (or any publisher) in order to resolve exploits and make a better game for all. Could and should someone be able to justify it to themselves that because a developer studio has a poor track record in fixing long-standing bugs, that it gives one the 'right' to use an exploit in their favor?
Or to go one step further, because there is little to lose upon discovery of the exploit (again, depending on the type and benefit gained), is it therefore considered 'permitted' by the developer to use an exploit as a reasonable person would do? This is somewhat touched upon by Stephen D'Angelo regarding the skill point dilemma. A 'scaling' system over how abused an exploit is, and how lenient one can be.
If that is the case, and the person in question would see little in the way of punitive measures (no bans, no suspensions, gains are kept on character progress), does that, in a way, encourage exploitation to be used, because of the nature of MMOs to keep player retention, and to be lenient with rulebreakers in some circumstances?
If someone can justify it to themselves mentally that because a publisher offers a 'pay2win' mechanic as part of their monetization, can it easily be justified that an unscrupulous player could similarly make money off of a game design flaw? If it is already established in a game that if you give them money, you have a noticable advantage, could you consider yourself on equal ethical footing as the developer? Sure, it is their game and you might get banned. But from a purely ethical standpoint, you would simply be taking advantage of a system they are already taking advantage of.
And if that is the case, should the developer in question handle Zero Day exploits kept secret from them intentionally in a similar fashion? You are right. We are not being incentivized to beta test STO on the Tribble Preview Server. Al Rivera already made it a point to mention that the amount of money they lose by offering a testing weekend is not worth the testing itself.
Should Cryptic simply take it one step further and actively incentivize confirmed bugs? Or any developer for that matter?
I'm not talking exclusive rewards like CoH's "Bug Hunter" badge which was only given to a few notable players for particular bugs, but an actual system where a bug is found and the player given a reward upon confirmation of said bug.
Would that hinder Zero Day exploits enough that people would find the reward for being incentivized more lucrative than the exploit itself? Possibly, it would depend on the exploit, but I think it is something worth considering when player trust with a company is on shaky ground, to the point players may feel it is better to keep their mouths shut over something they like so the developer does not nerf it 'for their own good'.
If its a MMO specific Zero Day Exploit, then the answer would be ZERO, as theirs simply not enough money to be made to justify the Exploit purchase. At the very most, you might be able to make a few thousand dollars off of a Exploit, which would only be a fraction of the purchase costs. The only thing that could justify the expense would be something with a political motivation attack, (such as the recent Sony hack), which is something that STO would not be a target for..
They might as well; bug bounties have worked out great for Google, Microsoft, Apple, etc. in the tech industry. See: Pwn2Own
OCD side-nitpicking: Stuxnet isn't famous for using zero-days, ZDs aren't some new thing--they have been in use for years, including by the feds and police--it's famous for being a cyber attack that resulted in physical damage, and for being used against a high-profile nuclear target, and for being state-sponsored and highly engineered instead of commonplace criminal malware.
Joined January 2009
So who would I sell an STO Zero Day Exploit to?
A whale? I'm guessing no. Whales either already have everything they want or are in process of purchasing everything they want.
A troll? Maybe. But this would almost certainly ensure the exploit was found and eliminated immediately. Since trolls by their nature cannot resist the temptation to cause maximum discomfort to the maximum number of players for the longest maximum time. A troll might even make such an exploit public and give it away. In hopes of getting large numbers of other players banned or punished.
A PvPer? Maybe. The PvP crowd always gets routinely ignored by Cryptic and some payback may be in order. But to sell an exploit to a PvPer would make me a troll, wouldn't it?
Cryptic Studios? Probably not. At least not under the current leadership. If you want to call it that. They are all much smarter than we are. Don't believe me? Go and ask them. They'll tell you. I have always firmly believed I am under no obligation to protect someone else from their own self inflicted stupidity. And I'd like to remind both the EP and Geko there is a very good reason Pride is the first of the seven deadly sins.