|
|
Post by Belouch on Jan 11, 2020 0:12:59 GMT 1
Anticheat - Punishment PolicyThree scenarios, from best to worse: 1. Spontaneous confession
The player confesses his actions before any admin intervention is made and before being sent to prison island. He doesn’t deal with the Executioner, but directly with admins. The penalty will be mild, we will estimate the ‘gains’ of the cheat and remove them. Player confidentiality will be preserved. 2. Immediate and honest confessionThe player is sent to prison island. He deals with the Executioner, has one chance to save his character, and provides a very honest and detailed confession about his actions. We will estimate the ‘gains’ of the cheat and inflict a severe punishment, but the character will be allowed to keep playing. Efforts will be made to preserve player confidentiality*. *About that… The reason we do not go full public disclosure on the details is to protect you, not us. We have absolutely nothing to hide. It is to give you a chance to avoid having the cheater-label on your forehead for the rest of your gaming days should you be allowed back on Agonia. Don't be dumb. Don't ruin it for yourself. Don't make a big fuss about your situation, causing an uproar in your faction like we have seen last week, forcing us, in order to protect ourselves from false accusations and stupid rumors, to give more details on the situation publicly. Your loss. We will try to protect you from cheater-label but not at our own cost. 3. Denial or dishonest confession
The player is sent to prison island. He deals with the Executioner, has one chance to save his character, and provides a dishonest confession (or denial) about his actions. The character earns a life-sentence on Prison Island. Player confidentiality is not preserved. Special notesIn the case of #1 or #2, giving a second chance to players who cheat is already very magnanimous. Any future cheat, no matter how little, would trigger instant character deletion and full ban of the player (prohibition to recreate a new account). Why do we care about a confession if we know they are guilty?- First for our mental health. Punishing a player is never a pleasant thing, and punishing a player who has confessed vs one who has not is very different, even when we are 100% sure he is guilty.
- Until there is a confession, the relationship between the player and the admin team is conflictual, and dishonest. Once the faults have been confessed, it becomes a relationship between someone who has acknowledged his fault, and someone who is giving him a second chance. The relationship becomes both constructive and truthful.
- The punishment is proportional to the gains of the cheat. The confession gives us an extra chance to learn something that our tools could have failed to detect. If thats the case it also allows us to understand why and to improve our anticheat tools.
The punishment decision is not made by one single person. Two admins and three experienced players are asked to give their proposition and we pick the median one in term of severity. It doesn't matter how strong the player is, how influential he is, how liked or disliked he is, or of which faction he is. We don't have any say in who cheats and who doesn't and we are not responsible if most of the cheaters lately were from the same faction. This is how we will be dealing with anticheat issues. It might not be the best way for some, but this is how we will do it. We are not professional criminal judges. We just want to build a game for all to enjoy, we would like to never do any anticheat but some players do not give us that choice.
|
|
|
|
Post by Belouch on Jan 14, 2020 19:03:50 GMT 1
Anticheat results
We will not be posting a detailed report everytime we freeze or ban someone.
But because last week's cheater-purge created a lot of unjustified outrage and crazy rumors, we will give precisions.
11 characters were sent to prison island last week.
Character A
Evidence: ‘A’ used three multis via VPN. It included farming items, giving relics but also exploring on the main character for extra training.
Trial: ‘A’ confessed immediately and provided very satisfactory level of details, matching fully with the evidence.
Punishment:
-Full inventory/dwelling wipe
-80 skills penalty in main skill
-40 skills penalty in all general and weapon skills
-Two-week stay in prison island
-Any future cheat, no matter how little, will trigger instant character deletion and full ban of the player (prohibition to recreate a new account).
The player decided to stop playing and asked for deletion.
Light
Permanently frozen.
Snow
Permanently frozen.
Ra
Permanently frozen.
Character B
Evidence: ‘B’ used three multis via VPN: an ore miner, a river miner and a sulfur miner playing in the other faction. The multis were also used to declare mentorship and to help for some quests (like the metal gearing one). Some level of spying. Evidence shows that they were not used to explore on the character for extra training.
Trial: ‘B’ confessed immediately and provided rather satisfactory level of details, matching most of the evidence.
Punishment:
-Full inventory/dwelling wipe
-80 skills penalty in main skill
-40 skills penalty in all general and weapon skills
-Two-week stay in prison island
-Any future cheat, no matter how little, will trigger instant character deletion and full ban of the player (prohibition to recreate a new account).
Jandal
Evidence: Jandal was the middle-man between multiple multis and their owners. His nicest achievement was to go to Forsaken lands to collect the 64 sulfurs that Lucretia had farmed for months and bring them home to share with ‘B’.
Trial: Jandal didn’t confess to cheating. He only mentioned one of the multis to which he was linked and pretended he didn’t know it was a multi at the time when his participation to this multi-mafia was absolutely evident. He could have gone out of it with a much smaller punishment than ‘B’ but decided to take us for idiots. Too bad for him. The rule is strict, no confession = perma-freeze.
Punishment: Permanently frozen.
Lucretia
Permanently frozen.
Mimosa
Permanently frozen.
Gannicus
Permanently frozen.
Character C
Evidence: ‘C’ used one multi via VPN to get extra relics and to explore on him for extra training. Also to some extent spying. No evidence suggested that he was used to farm for ‘C’ (the multi kept an independent inventory/dwelling).
Trial: ‘C’ confessed and provided satisfactory level of details, matching most of the evidence.
Punishment:
-50 skills penalty in main skill
-25 skills penalty in all general and weapon skills
-One-week stay in prison island
-Any future cheat, no matter how little, will trigger instant character deletion and full ban of the player (prohibition to recreate a new account).
Corax
Permanently frozen.
In addition to those:
Character D
Character ‘D’ used 3 multis to farm resources. It turns out that he decided to delete just a few days before we sent cheaters to the island so no action had to be taken.
Lavinia
Permanently frozen.
Morrigu
Permanently frozen.
Sidius
Permanently frozen.
Note: These cases are good example of how efficient our new anticheat tools are, because all of them used extreme caution to avoid being detected like systematic VPN usage for each multi and for some of them, never any direct interaction with the main character in the game. Some also created discord accounts for the multis and kept a rather high level of interaction with other players to make the multis seem as real as possible.
We are quite confident now that the biggest cheaters of the game have been dealt with. A few characters have little red flags on them, and we will keep a close eye on them, so if there is any cheater out there that didn't get caught yet, I strongly recommend him/her to stop it immediately, because it would only be a matter of time. And the longer the gains, the bigger the fall.
|
|
|
|
Post by Belouch on Apr 28, 2020 18:07:24 GMT 1
5 characters were deleted today for multi-abuse with VPN.
A lot is keeping us busy but it doesn't mean our detection tools are not on watch.
|
|
|
|
Post by Belouch on Aug 27, 2020 23:12:02 GMT 1
New cheat detected (and fixed, further investigations still ongoing)
Many of you have probably been surprised by a character who got surprisingly strong recently. He is now permanently frozen with full inventory/dwelling/town wipe.
The cheat triggered many red flags on our anticheat board early on and we knew what he was doing (regenerating moves) but we didn't know how he was doing it.
It was very concerning for us because the player behind is not just anybody, he is a person who had volunteered to help us on the code about a year before Agonia opened. Meaning he had full access to the code, of which he had possibly kept a copy. The problem with that is that it makes it very easy for someone with coding knowledge to find a security gap in the game and to know how to exploit it. (NB: not one line of code from this guy was ever added to the game, the breach he used was an existing one).
I didn't want to take actions before finding out how he was doing it, because we didn't know what was the true extent of his secret powers (at some point I was worrying he had found a way to hack into the admin board). It took a few evenings of investigation to finally understand he was doing an SQL injection on a specific page targeting a specific SQL query related to the player datatable. That means he could pretty much change any variable in that table (for his character only), such as his moves, his turns, his gold, etc. I even managed to change my tribe this way... (stats are in that same table but thanks to the new Restat function even if you change it via an injection it gets instantly corrected back, skills are in another table so safe from harm too).
Is it fixed now?
yes that breach is now fixed and we scanned the rest of the code to find similar issues. We found and fixed 3 more (not sure they could have been exploited but better safe than sorry).
When did he start using it?
Our logs show that he actually started using in the very early days of the game. He then went inactive for a long while, came back recently and used it a lot to catch up.
Is anyone else using it?
The injection was quite easy to make, but to know it you needed to know exactly which SQL command to target (and why), on which page (and it was a page that is almost never used), which variable to 'cheat' and you'd also needed to know the DB structure and table variable names to know how and what to change to your liking. That means only someone with code access could have found-out, and known how to use this breach.
Or someone that has been told the trick by the later.
Now that we know how he was doing it, it's very easy to look at the raw logs as the use of the injection creates a very specific tag in the request logs which we can now hunt down specifically. It is impossible to use this injection without leaving this trace. It will take a bit of time because going through raw request logs is long and tedious, but you can be 100% sure that if anybody else has used it, he will be caught in the coming days. Keep in mind we do show mercy to spontaneous confessions.
What did he have to say about it?
He quickly admitted. There was not much to say as we had already all the details. The punishment is still a permanent freeze and full item wipe because the cheat is too serious to offer any 'honest admission' leeway.
What are the lessons here?
-That all cheaters get caught sooner or later. We don't have push notifications from our anticheat tools and we don't look at them every day because it's not fun to do. But every once in a while we'll check and if we catch someone, it doesn't matter if it was 10 months ago that he cheated, there is no prescription period in Agonia. Those 10 months will just be 10 extra months wasted by the cheater on his character. Even if by some miracle he evades all the specific anticheat logs, his cheat will still be somewhere in the raw logs, like in this case, which we keep since day 1 of Agonia.
-That it's very dangerous to give access to the code to anyone (some people who offered to help sometimes got offended that we would not give them access). This is a very good example why.
-Cheating sucks for absolutely everybody. No one is a winner here we're all losers. He's a loser because he wasted hours and hours of training (he had free moves but he still needed to train) and it's all gone to waste now, i'm a loser because I wasted several evenings of my life investigating, fixing and now reporting this crap, and all players are losers because all that time invested would have gone to dev work and game improvements instead.
|
|
|
|
Post by Belouch on Aug 28, 2020 12:37:40 GMT 1
One more character was found in the request logs using similar injection procedure (adding moves and turns).
It is a rather unknown character, with only 900 turns spent. Permanently frozen as well.
We will continue going back in time through logs.
What we can tell for sure is that no one else used this regularly like these two chars (for training purposes).
Now it's too early to exclude the fact that someone else might have used it very sparingly, only in very specific settings (like in a raid), so this is what we are looking for now, logs will tell.
If anyone has anything to tell us to save our time, you know where to find us...
|
|
|
|
Post by Belouch on Sept 9, 2020 20:14:55 GMT 1
Investigation is over. After examination of logs, no other character was found to have used Nifty's SQL exploit.
The second character caught earlier was (apparently) Nifty's wife which tried the game for a few days.
Nifty is the first ever player to be permanently banned from Agonia after he was caught exploiting another breach a few days later with an SQL injection, this time to extract data.
|
|
|
|
Post by Belouch on Sept 28, 2020 10:24:38 GMT 1
Five accounts (most created very recently) have been frozen for VPN multi abuse.
The responsible (Kaladin/Oz) having already been given a second chance, he is now permanently banned from the game.
Impressive effort to smuggle and teleport gear through a 5-multichar daisy-chain, using different IPs, different devices, different browsers, and different 'trading methods' and getting all of them caught...
|
|
|
|
Post by Belouch on Oct 18, 2020 23:57:29 GMT 1
Someone earned a 1-week trip to prison island for teleporting to the wrong capital to snoop around for info. We had warned against this...
|
|
|
|
Post by Belouch on Jan 23, 2021 23:43:06 GMT 1
Sunday anticheat: 10 accounts frozen for multi abuse. Most were using TOR, some just VPN (yes we still see you... in fact that makes it even easier for us). Now we have no more negotiating with multi-abusers so these characters are all permanently frozen. No need to come to discuss it with us once you are caught, just go find another game  |
|
|
|
Post by Belouch on Feb 12, 2021 14:50:43 GMT 1
New anticheat tool against injects was developed.
Nifty was back and he is out again: Jax and his multi gustaf permanently frozen.
He was using a new type of SQL inject. To be discrete he was doing it from Gustaf with TOR and a clever attempt to avoid us linking it to Jax.
This is thanks to a new anticheat tool we have set-up which can allow us to detect any type of inject now.
|
|
