Thursday, August 10, 2017

Jumping To Conclusions

Sometimes following Twitter leads to some amazing things. Last night I saw this Tweet in my timeline.

So I wound up logging into the Singularity test server last night to see for myself. Sure enough, the crate item does indeed state that the manual for unpacking and assembling the ship seems to be missing.

The assumption that Ashterothi made is that these event prizes will require some sort of real money payment to open. Reaching such a conclusion doesn't pass the smell test. Lockboxes are traditionally just a random drop item. Making someone pay to get the prizes from a progression event like what I saw on Sisi is such an idiotic concept that CCP would deserve to lose half their customers if they even thought to do such a thing. But perhaps I'm wrong and someone in Reykjavik put a drooling imbecile in charge of monetization.

Something I noticed about the redeem window is that the left half is transparent. I marked in red where the window actually extended. Usually I would expect half the area to have some sort of graphic that would make opening the crate a fancier experience. The one thing I do expect is that the ships earned while doing the events will show up as the race of the pilot opening the crate so that alpha players receive ships they can use. The character I used is Minmatar and received a Minmatar industrial ship.

As the final screenshot shows, the event is still under construction, so I can't definitively state that CCP is not using the event to introduce lockboxes. Perhaps the missing part of the window will explain what the text in the item window means. But at this point, using the text of the crate to indicate that CCP is introducing lockboxes is a tremendous leap of logic.

Friday, August 4, 2017

CCP's War On Illicit ISK: Ghost Training

Ghost Training, as defined by CCP, "is defined as the use of alpha account status to accrue skill points at a more rapid rate than they are gained through normal alpha account gameplay, and/or train omega skills on an alpha account." Basically, any player whose subscription lapsed following the introduction of CCP's version of an extended trial in November unwittingly benefited from the exploit. The exploit impacted the secondary markets due to the ability to extract the skill points and convert them into ISK, or just selling the injectors themselves.

Demonstrating the hazard discount

What was the impact of ghost training, if any, on the price of ISK on the secondary markets? Outside of last month, no clear evidence exists. As always, the major driver of prices on the black market is the price of PLEX in The Forge. Beginning in September 2016, the hazard discount settled into a range of $8-$10 USD/billion ISK. The hazard discount is the amount of a price reduction ISK sellers must offer buyers relative to the price of ISK purchased through CCP-approved means in order to entice those buyers into risking CCP banning all of their accounts. For example, the average hazard discount for December, the first full month the exploit existed, was $8.94/billion ISK. Six months later, the hazard discount was still $8.90/billion ISK. The most likely impact of the exploit on the black market was to protect profits as the rising ISK price of PLEX forced ISK sellers to drop their prices to compete with CCP.

So what happened in June that exposed the influence of Ghost Training on the secondary market? Quite simply, CCP acted to shut down the practice, forcing those ISK sellers to react.

Notable events in June and July

The first public indication of CCP attempting to shut down Ghost Training occurred on 8 June. CCP ran a script that had the unfortunate effect of pausing the skill queues of players not engaged in using the exploit. While the script failed to permanently stop Ghost Training, some of the smaller players in the black market dropped their prices fairly significantly in case the release on 13 June instituted a permanent fix.

Apparently, any fix included in YC 119.6 failed to work as CCP publicly declared Ghost Training an exploit on 15 June. CCP's next move involved contacting all players detected taking advantage of Ghost Training in some way and giving them the option of either extracting the skill points and giving the SP back to CCP, or handing over a set amount of ISK and/or assets. What is known is that CCP started contacting players on or about 26 June.

Either some of the major ISK sellers taking advantage of the exploit were contacted earlier, or the public declaration declaring Ghost Training an exploit because the market took a noticeable turn downward starting on 20 June. Over the course of the next 10 days, the 7 day rolling average cost of 1 billion ISK dropped 15.7%, from $4.27/billion ISK down to $3.60/billion ISK.

Some of the wreckage from the Ghost Training banwave

The price chart indicates that CCP began banning accounts in some of the larger RMT operations around 30 June-1 July. One seller stood out as the shop was the largest seller on Player Auctions in the first half of 2017, selling over $65,000 worth of ISK and skill injectors. The seller disappeared from the listings from 28-30 June and around the same time was banned from 2 RMT forums where ISK sellers often go to buy their stock.

Bought from a shop using stolen credit cards

The second largest seller of ISK and skill points on Player Auctions in the month of June also appeared to take advantage of the Ghost Training exploit. That belief came into question on 5 July when the shop's customers started complaining about the shop using stolen credit cards and receiving unusually harsh punishments from CCP. The shop may have left the EVE black market soon after, as the last time it listed ISK for sale was on 24 July.

Finally, did the vast amount of cheap ISK sold in June result in vastly larger profits for the ISK sellers? Overall, the ISK sellers on Player Auctions sold nearly 4.8 trillion ISK in June compared to 3.6 trillion ISK in both April and May. The result? The data I collected indicates ISK sales were down $120 from May's total and $2700 compared to April. When selling over 1.1 trillion ISK more in a month doesn't bring in more real life money, maybe EVE's illicit ISK sellers should try find a more profitable business.

Friday, July 28, 2017

Empty Space

So fan boys who were vigorously defending the 10 system universe as being all they really needed have to change their story yet again?
- Wilhelm Arcturus, MassivelyOP comments thread
Last week's post on the shrinking of the Star Citizen universe received a lot of traffic. Apparently, the interest (and concern) was high enough in the Star Citizen community to draw a response from CIG on the Star Citizen forums:
"Hey guys! This is a case of things being lost in translation; Chris was asked a specific question about how many systems we expect to have online at the point that we've got most of the core mechanics completed and we would consider the gameplay experience suitable for a larger audience. There are no changes with regards to the planned amount of systems which are well documented on the current Star Map.

"Also, it’s important to remember that the scope of the game has increased greatly since the original crowdfunding campaign. Since those early days we’ve created procedural planet tech, moved from 32 bit to 64 bit… all of it leading to billions of kilometers of space and millions of square kilometers of landmass to explore, all rendered in detail that matches the most detailed 1st person games that only have to worry about a few dozen kilometers of playable area.

"This takes time to fill out, so while it will take us longer to fully deliver and populate every system at this fidelity rather than if we had only a handful of points of interest per star system, we have no intention of reducing the size of the Star Citizen universe."
I take the statement as acknowledging that while the game won't have the promised 100 systems at launch, players should expect more than 10, with additional planets added sporadically as time goes by. I do, however, get the feeling Star Citizen will launch as more of a planetary first-person shooter set in a sci-fi setting with space flight rather than a space-based game like EVE or Elite Dangerous.

The news from CIG did not interest me as much as the comments for the article posted on MassivelyOP. I wanted to see how the commenters would pivot from defending a Star Citizen universe with 5-10 systems to a promise of a larger one at launch. For some reason, many Star Citizen backers have a deep hatred and loathing of anything related to EVE Online. That sentiment came out from one commenter responding to the fact that EVE has over 8,000 systems.

By the end, BDJ admits to having no experience playing space games. I have a feeling a lot of people attracted to Star Citizen want the planetary experience and the space part of the game is a side show. So let me address the issue, why so many systems?

First, I want to address the big technical reason: server performance. EVE Online has over 5,200 normal space systems and 2,600 wormhole spaces to spread players over. The game even has 12 starter systems divided equally between 4 NPC empires. Except for major events involving thousands of players, the servers nowadays hold up fairly well.

Now let's look at Star Citizen. A quick look at the funding page currently shows 1.8 million backers. By the time the game launches, that number should reach 2 million. I don't want to make the numbers too high, so assume that only 50% of those backers never log in and CIG sells no copies after launch. Of those 1 million active players, assume that between 1/6 and 1/10 are online at any one time. (I gathered those percentages from EVE back when CCP published subscriber numbers). Based on my rough math, expect Star Citizen to have between 100,000 and 167,000 players online at any one time.

If Star Citizen only launches with 10 systems, that means an average of 10,000-16,700 players in each system. I'm not sure how stable CIG's netcode and servers will perform at launch, but even with top flight equipment, that's potentially a lot of activity for a node to handle. With 100 systems, the load becomes a much more manageable 1,000-1,700 players per system. With various sites of interest for players to visit dividing the load up within a system even further, 100 systems seems like players should have a good time. But only 10 systems? In that case, I expect CIG to either resort to a lot of instancing or, even worse, login queues.

One complaint BDJ raises is sparsely populated regions of space. I guess in the terms of the current debate swirling around Star Citizen, an empty system as a placeholder is a bad thing. But differences in population density in a universe is a good feature, if a game developer can manage to do so well. In a sci-fi universe, people are not spread out uniformly. Instead, highly populated core worlds co-exist (sometimes violently) with sparsely populated fringe worlds. One of the charms of EVE is spending a month or two in a low pop area like low sec, null sec, or especially wormholes, and then jumping into high security space. Just looking at all the players in local chat makes it feel like you've jumped into a different world. Some players call high sec "scary" just because of that jarring transition.

Another benefit of sparsely populated space is the ability to go out alone, explore, and find valuable content. Each system has the potential to spawn combat or exploration sites with, to use a technical term, phat loot. The more valuable sites are found in space where people are allowed to shoot at you. Finding a nice quiet spot with no one around is something people seek, not complain about. Well, unless the person complaining wants a fight, that is.

Looking at a player organization level, the vast number of systems helps keep one or two groups of players from dominating the cluster, especially after the introduction of jump fatigue. Imagine if the 25,000 members of Goonswarm were to hop into a game with only 10 systems. Sorry Star Citizen players, but the Goons organizational abilities would probably lead them to dominating the entire game. In EVE, while they cause a lot of trouble, Goonswarm mainly stay in the regions of Delve and Querious preparing for the next big war. Even the Goons can't seize over 2,000 systems.

At the end, BDJ asks what a system in a space game actually contains? In EVE, the systems contain many elements, all of which have some form of game play attached. For example, while players never enter the planetary atmosphere, they can play a mini-game and extract resources used in high end manufacturing and running player-built structures. The type of materials is based on the types of planets in the system. Some just take the materials to market to sell while other players build factory planets to produce high-end planetary items.

Another important source of game play are moons. Moon mining is the source of key materials used in tech 2 production. In the winter expansion, CCP is turning moon mining from a passive to an active experience, requiring not only the construction of a refinery at a moon's Lagrange point (in the New Eden universe, each moon only has one Lagrange point). Not all moons are equal, however, and players will need to probe each moon to discover which ones hold desired minerals following the moon mineral reshuffle occurring in the winter expansion. Did I mention that EVE has tens of thousands of minable moons that need exploring? Also, the knowledge of which moons hold what materials is extremely valuable and won't make it to the wider internet for months, if ever. All-in-all, just the mere existence of moons in system brings some sort of game play.

The third type of permanent object in space is the asteroid belt. Besides providing ore to mine, asteroid belts attract interesting NPCs. In low sec, some types of NPCs drop tags to improve security status and blueprints for the Mordu's Legion ships. In all areas of space, one is liable to find NPC mining operations, which can provide for some interesting fights, as the AI running the mining operations, including response fleets, is much better than the standard AI. In part of null sec, following parts of the NPC mining fleets leads to pirate shipyards where the blueprints for advanced ships drop. Currently, only Blood Raider space has such shipyards, but the Guristas are the next pirate faction to receive them, with the other factions to eventually receive shipyards of their own.

Each system also has the chance to spawn temporary sites that, once run (or not run over a 3 day period), despawn. These sites run the range from mining to combat to data/relic sites that use the hacking mini-game. A system that looks insignificant most days could wind up providing a player lucky (or persistent) enough to find the site a huge payday. Or, if a player probes down a wormhole, the system can server as a temporary gateway to more interesting content.

Finally, a big difference between EVE and Star Citizen is the ability of players to shape a system. I am not an expert on Star Citizen by any means, but I get the impression that the world Chris Roberts is building is set in stone, with massive structures like space stations only provided by CIG. In EVE, players can build their own space stations, called citadels, almost wherever they like. Players can also build transportation networks, called jump bridges, to facilitate travel. A system with no otherwise outstanding features could become a critical part of a jump bridge system, attracting player activity.

Writing articles for the blog oftentimes serves to help me work out certain concepts. After writing over 1600 words, I still don't understand the concept of the "empty system". I guess, for the commenters defending Star Citizen from charges that CIG is shrinking the game, that a system is empty if it does not contain several areas of meaningful planetary interaction, which includes the ability of a player's avatar to walk on the planet. I thought that Star Citizen was a space game. Apparently I misunderstood, and Chris Roberts is designing a more traditional MMO in a science-fiction setting. I should think of Star Citizen more like Star Wars: The Old Republic (with much better space flight) and less like EVE or Elite Dangerous, where the game play is all space based. Because in a space-based game, as long as a system has a sun, planets, moons, and pirates, a system is never truly empty.

Friday, July 21, 2017

Star Citizen Just Got A Whole Lot Smaller

I think I have a bit of experience when discussing massively multi-player online games. I started playing my first MMORPG in 2005 and began writing on The Nosy Gamer in 2009. Among the games I played at launch was Warhammer Online, a highly anticipated game that featured video blogs that helped raise the hype level to 11. A major sign that the game was in trouble, though, occurred before launch when Mythic had to scrap 4 of the 6 racial capital cities planned for launch. Despite the presence of the highly regarded Mark Jacobs, the lead designer of Dark Age of Camelot, the game only lasted five years.

Fast forward 9 years and we have another highly hyped and anticipated game, Star Citizen, facing the same situation. In an interview with the German game site GameStar, (part 1 and part 2 translated on the r/starcitizen subreddit), Cloud Imperium Games founder Chris Roberts revealed that the game would only launch with 5-10 systems.

$6 million stretch goal (as seen on 20 July 2017)
Five or ten systems? The problem is, Cloud Imperium Games promised their backers 100 star systems at launch as part of its $6 million stretch goal. In addition, the company promised 16 named systems as various other stretch goals. They are:

Stretch GoalSystem
$3,100,000Odin System
$3,200,000Tyrol System
$3,300,000Kellog System
$3,400,000Goss System
$3,500,000Orion System
$3,600,000Ellis System
$3,700,000Cathcart System
$3,800,000Tal System
$3,900,000Geddon System
$4,000,000Chronos System
$36,000,000Tamsa System
$37,000,000Tanga System
$38,000,000Cano System
$39,000,000UDS-2943-01-22 System
$40,000,000Kabal System
$40,000,000Oretani System

At this point, I need to point out I have no interest in playing Star Citizen. I don't like flight simulators or first person shooters, and Star Citizen is both. My interest is purely on the business side of things. My point of view completely from the outside.

With those caveats in place, the situation for CIG does not look good. As far as I can tell, Star Citizen needs at least one more year of alpha (Alpha 3.0) and one year of beta testing before the game is ready to launch. If I had to guess, I think Star Citizen will launch either in the fourth quarter of 2019 or the first quarter of 2020.

Even with an estimate of two years until launch, the developer just announced a 90%-95% reduction in the size of the game. What makes the reduction even worse is that CIG raised money on the promise of Star Citizen launching with the missing content.

Now, I always thought Star Citizen was a space combat/exploration game. Perhaps Chris Roberts changed his vision to make the game more like a traditional MMORPG. Is the focus changing from space to planets? The question, for me, is academic as I don't plan on purchasing the game. But I really would like to know.

Friday, July 14, 2017

The Concurrent User Drop And The Release Cycle

To say that the number of concurrent users in EVE Online dropped over the past few years is a pretty accurate statement. When CCP Seagull became the executive producer of EVE Online in July 2014, the number of concurrent users on Tranquility was approximately 26,000. Looking at the numbers on EVE-Offline, the concurrent user numbers had dropped down to 22,000 over the past month.

Given the level of "EVE is dying!" angst seen amongst some members of the player base, I expected to see a much greater decline than the approximately 15% drop in concurrent users over the past three years. One of the hallmarks of CCP Seagull's years in charge of development is the desire to break away from the cult of the subscription and not require EVE players to maintain as many accounts as previously. In some respects, I believe the decline is a feature in her overall plans, not a bug.

I believe that one of CCP Seagull's major decisions unintentionally contributed to the decline of concurrent users, however. The decision to move from a two-expansions a year to a five week release cycle I believe cost EVE Online a lot of activity. The graphic above is one example. In June 2014, CCP launched Kronos, the last of the old style EVE expansions. Would Tranquility have experienced greater player activity if CCP had launched a Kronos-level expansion in June 2017? I think so.

During the Age of Expansions, EVE typically experienced month-over-month growth during three months: December, January, and June.

Growth during winter is expected, but why the increasing activity in June? Because CCP traditionally launched expansions in late May or June. The expansion would draw people into the game, thus mitigating the traditional summer fall off. Even Incarna followed the pattern, with the steep drop-off in player activity occurring in September, not June or July.

Perhaps surprising to many players, the largest July drop in activity occurred in 2009, not 2011. I see two causes for the drop. First, the critically acclaimed Apocrypha expansion launched in March, not in June of 2009. The second, and perhaps more important reason, was the anti-bot/anti-RMT operation known as Unholy Rage that launched on June 22, 2009.

Returning to the present day, I believe CCP could boost numbers, or at least slow the decline, by targeting the June and November content releases more like the old style expansions than just another incremental drop. Hopefully, the upcoming winter expansion is a move in that direction. Now, if we just see a summer expansion in 2018, perhaps we will see a reduction in the cries that the game is dying.

Thursday, July 6, 2017

EVE's Zombie Farms: Full And Responsible Disclosure

One of the big challenges for the developers of MMORPGs is making sure that new major features in their games integrate seamlessly with older systems. The task becomes even more critical when adding free-to-play elements to an existing mature game. Unfortunately for EVE Online's developer CCP,  the game system involved is the skill injector system that allows players to trade skill points amongst each other.

While skill point trading has several weaknesses, the issue today causing elements of the player base to pull out their pitchforks is a bug introduced in the Ascension expansion on 15 November 2016. Ascension introduced clone states, CCP's term for the system that introduced elements of free-to-play to EVE. Alpha clones, the new F2P option, differed from the subscription Omega clone option by only offering the use and ability to train a subset of skills as well as only possessing the 24 hour skill queue phased out in the Phoebe expansion. In the Ascension patch notes, CCP specifically stated the behavior of an account that lapses from Omega to Alpha state.
"Accounts lapsing from Omega to Alpha will have their training queue paused and will have previously trained skills outside the Alpha set disabled until subscription is renewed"
On 3 March, a Reddit user posted that CCP's code did not work as intended.
Since the introduction of Alpha clones it's been possible to train only certain skills as an Alpha (the way it should be IMO).

However, what I have not seen talked about is that you can fill your skill queue as an Omega, let your subscription expire, and now as an Alpha the character will continue to train those Omega skills for free at the Omega 2x speed. The skill queue only stopping if you log into that account.

It's currently possible to plex an account, fill the skill queue, and train skills for free until you decide to log in and extract. Before repeating the process again, getting multiple months worth of skill injectors for a single plex and the extractor cost.

Is this something that people consider acceptable or another thing for CCP to fix?
According to Wikipedia, an exploit, "is the use of a bug or glitches, game system, rates, hit boxes, or speed, etc. by a player to their advantage in a manner not intended by the game's designers." Given that CCP explicitly stated in the patch notes the expected behavior when an account lapses from Omega to Alpha status, what the Reddit user described in March is an exploit.

On 15 June, CCP acknowledged the exploit in an article published in the news channel:
"After thorough investigation and discussion with the Council of Stellar Management, the decision has been made to declare 'Ghost Training' an exploit.

"'Ghost Training' is defined as the use of alpha account status to accrue skillpoints at a more rapid rate than they are gained through normal alpha account gameplay, and/or train omega skills on an alpha account.

This notification serves to inform pilots that as of the date and time stamp in its header, the use of Ghost Training is considered an exploit. Any users found to have been knowingly abusing Ghost Training will be subject to reprimand on a case by case basis as per the EVE Online EULA.

We’d like to thank all the pilots who have reported this to us both publicly and via the support and bug reporting systems, and confirm that a fix is expected to be deployed to address this issue next week.

A reimbursement is also incoming for those pilots who may have lost skill training time as part of a related deployment last week, as highlighted in this news item.
Lead GM Lelouch clarified the statement on Reddit:
"You're right, the wording is a bit vague/misleading. To clarify: We are going after past abusers.

"While all exploit abuse is bad, we consider any abuse of a publicly declared exploit to be even worse. That's the distinction we were trying to make in the notification. It doesn't mean that we're going to let abuse predating the announcement slide. I apologize for the confusion.

"I want to take the opportunity to urge anyone who intentionally abused this issue to come forward by submitting a support ticket.

"I also want to make it clear that our objective is to go after those who intentionally abused this exploit.

"You have nothing to worry about if you just happened to benefit from this exploit on accident because your account lapsed for a few days. There is a pretty clear distinction between this and a skillpoint farm that's been set up to benefit from this issue."
Players who believe an exploit isn't an exploit if CCP does not make a public statement are incorrect. In the case of ghost training, utilizing the exploit runs afoul of both the EULA and the Terms of Service. Paragraph 6A6 (Conduct) of the EULA states:
6. You may not engage in any conduct that results in an Account containing items, objects, currency, character attributes, rank, or status that are inappropriate for the level or rank of the character contained in the Account, including without limitation arranging, making or accepting transfers of items to a character without adequate consideration, thereby augmenting or aggregating items in an Account and increasing its value for an Account sale.
In addition, the Terms of Service makes the following point:
23. You may not exploit any bug in EVE Online to gain an unfair advantage over other players. You may not communicate the existence of any exploitable bug to others directly or through a public forum. Bugs should be reported through the bug reporting tool on our website.
Oh. Revealing the existence of an exploit on a public forum like Reddit is a violation of the Terms of Service. How serious does CCP regard disclosing exploits? CCP's Suspension and Ban Policy states:
Severe offences may result in an immediate ban without warning; however, warnings may be given for first time offenses, followed by account suspensions of varying degree and ultimately a permanent ban if a player:
  • c. Is aware of an exploitable bug and fails to report it to Game Masters and/or distributes the information to other players.
Those who only revealed the exploit on Reddit can expect a warning, if that, compared to the immediate ban those who utilize the exploit after CCP's exploit announcement. Still, CCP frowns on the public discussion of exploits, especially exploits that not only impact the game economy but defraud the company out of real world money.

CCP's policies spell out a practice called bug secrecy. The idea is that hackers cannot exploit a bug, otherwise known as a vulnerability, if they do not know about the bug. Of course, one can see the problem with such thinking in the case of EVE Online. If a vulnerability exists, players will find the weakness and mercilessly exploit the bug.

At the opposite end of the security spectrum is a theory called full disclosure. According to Wikipedia:
"Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them."
According to security technologist Bruce Schneier, bug secrecy relies on two false assumptions. The first is hackers cannot discover vulnerabilities on their own. The second is that software companies will spend time and money fixing secret vulnerabilities. Schneier argues that full disclosure is the only reason software companies patch their software:
"To understand why the second assumption isn't true, you need to understand the underlying economics. To a software company, vulnerabilities are largely an externality. That is, they affect you -- the user -- much more than they affect it. A smart vendor treats vulnerabilities less as a software problem, and more as a PR problem. So if we, the user community, want software vendors to patch vulnerabilities, we need to make the PR problem more acute.

"Full disclosure does this. Before full disclosure was the norm, researchers would discover vulnerabilities in software and send details to the software companies -- who would ignore them, trusting in the security of secrecy. Some would go so far as to threaten the researchers with legal action if they disclosed the vulnerabilities.

"Later on, researchers announced that particular vulnerabilities existed, but did not publish details. Software companies would then call the vulnerabilities "theoretical" and deny that they actually existed. Of course, they would still ignore the problems, and occasionally threaten the researcher with legal action. Then, of course, some hacker would create an exploit using the vulnerability -- and the company would release a really quick patch, apologize profusely, and then go on to explain that the whole thing was entirely the fault of the evil, vile hackers.

"It wasn't until researchers published complete details of the vulnerabilities that the software companies started fixing them."
A third school of thought on how to deal with software vulnerabilities exists called responsible disclosure. Again, according to Wikipedia:
"Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software often require time and resources to repair their mistakes. Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities with a high impact. Hiding these problems could cause a feeling of false security. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and preventing any future damage. Depending on the potential impact of the vulnerability, the expected time needed for an emergency fix or workaround to be developed and applied and other factors, this period may vary between a few days and several months. It is easier to patch software by using the Internet as a distribution channel."
In 2011, CCP's head of information security, CCP Sreegs (aka Darius JOHNSON), published a dev blog that spelled out that responsible disclosure was the model he wanted to follow in encouraging players to report security issues. The dev blog introduced the PLEX for Snitches program in which players can contact the security team at with vulnerabilities and possibly receive a PLEX reward, depending on the severity of the exploit found.

Perhaps the most famous EVE exploit covered under the responsible disclosure policy occurred in 2012. A group of five players from Goonswarm manipulated the new faction warfare system to earn a tremendous amount of loyalty points before informing the security team about the exploit. After receiving information about the exploit, CCP made several changes to prevent anyone else from taking advantage of the vulnerability.

The group of players, although they did report the exploit to CCP, didn't quite follow the guidelines. CCP Sreegs explained the rationale behind the resolution of the situation:
"The people who sought to benefit from this exploit will receive no gain from this system. Because this was essentially a system where you could print LP, even if ISK was provided as an input, it is classified as an exploit.

"Because the players made efforts to inform us about the issue their accounts will remain in good standing. We have temporarily seized all LP points and store items from them. Once we're done determining how much each person has benefitted we will remove the LP gained value in LP and items and return the ISK invested in the purchase of items to them. This essentially will set each of them back to the original point at which they began this activity. The person who reported the issue will receive the usual PLEX for Snitches reward.

"I wrote a blog on 'Responsible Disclosures' a year or so ago. In that blog I mention that telling us about something after you've used the heck out of it isn't what we consider to be responsible. We do our best to be lenient in cases such as this but we want this to serve as a notice to the community that the proper time to alert us to the issue was before actually using the system. I can understand a desire to test the limits but we don't believe two weeks of testing a bug or exploit should net a tremendous benefit in lieu of reporting it in the first place, and that is another reason why the LP activity will be reversed back to zero."
I mention the aftermath of the factional warfare exploit for one main reason. The five individuals in question avoided bans since they reported the exploit, but CCP confiscated their profits. Following the same logic, all of the individuals involved in using the Ghost Training exploit in the operation of their skill point farms should not expect to keep their profits. For those who never reported the exploit, or reported the exploit but continued to profit from the bug, I expect harsher treatment. I believe the words in CCP Sreegs' 2011 dev blog still hold true:
"Computers aren't very good at logging intent and believe it or not there are documented cases where people who are out to do bad things have lied about their intentions. If we're witnessing an exploit being taken advantage of in our logs then, from our perspective, an exploit is being taken advantage of and the consequences for such actions are not light." 

Monday, June 26, 2017

CSM 12: The Gunpowder Plot

Just when I think things can't get more interesting in EVE Online, something new comes along. Not necessarily in a good way. I watched The CSM Podcast released on Saturday and, oh my! Aryth made some claims that might upset the view of some people on what the CSM should do. Then again, other people will probably rejoice. Or perhaps Aryth is blowing his role totally out of proportion. Personally, I go with option #3, but I'll let you decide for yourself.

I transcribed the relevant part of the podcast and embedded the podcast below. The video should open at the correct place.

Apothne: To what extent were you guys warning CCP that this was about to happen? That a lot of players were about to become very restless. To what extent the feedback you’ve been giving them  Now that this has bubbled over into what some people are calling the new Summer of Rage, kind of what have you been doing to kind of help the PR, to help assuage players and calm them down, or is it, “CCP, you’re fucking up, please deal with this shit.”? Aryth, I know you wanted to talk about this.

Aryth: So, this is going to be a long one, so give me a second. First of all, this has been kind of simmering below the surface I think, even at the CSM level, for six months or so now. There’s some particular devs, I think, that are less responsive than others. Like they have some predetermined actions that they are going to take, that they believe the game works right, and they’re going to do it that way.  So there’s been this undercurrent for awhile.

But right when this first kicked off, we kind of saw it at the CSM. Jin’taan had been providing documents for, you know, months. So this wasn’t like it came out of left field for the CSM. We saw this. We’re experiencing this. I tried to warn Andie a couple of different times, like sending her private messages which I had never done in the full year I was on the CSM, I’d never did it.

Apothne: To be clear, that’s CCP Seagull.

Aryth: Yeah, that’s Seagull. So it’s like, break glass only in case of emergency, right? And, it was just ignored, like she wasn’t there. So I basically was like, well, I told them there would be drama. And to some extent, I had the capability to make that a self-fulfilling prophecy. So I contacted the writers at INN and said, okay, let’s start running negative articles and go ahead and start doing the negative Reddit threads, right? And then, you start that off -- and then CCP follows on with 3 or 4 really dumb actions after that -- and there you go.

The whole CSM was warning them the entire time. Since it’s happened, we’ve been working with them the entire time on how to do the PR messaging, how to make this better, and I think they’ve been very responsive. I want to give CCP full credit for that.

They have been listening. I think they are taking corrective action. I don’t think this is going to be an issue as much as it was. Will they follow through with the summer break and how disruptive that can be? That remains to be seen.

Apothne: So you are saying there was a powder keg that was already built, but you, personally, through your control over the Imperium -- well not your control but your influence in the Imperium is a better way to put it -- is you’ve tried to be the spark for this powder keg to get things going, to really push the issue forward to be more in the forefront of players’ minds?

Aryth: Yeah. Like you can see when the time’s right and you just spark -- don’t get me wrong, there’s a lot of luck involved from other event’s occurring I could never have foreseen. Like, how could I know that Quant was going to make a post like that? Holy shit!  But yeah, at some point you have to light the fires and gather the pitchforks and just hand them out and sell them. Right? And go, guys, go up to the point where it hurts EVE. Don’t hurt EVE, but let’s make EVE better, and sometimes you have to kind of elicit that response from the developers. Like, “Hey, this is collaborative, remember, remember, or have you forgotten?” And to use another analogy like I was trying to explain this one time when someone asked, “Why does this keep happening when CCP appears?” And they have a new crop of devs and sometimes the kid just needs to touch the stove, I guess.

Tuesday, June 20, 2017

Unforced Error

Now I'm starting to get ... irritated. CCP Falcon published a news item yesterday that left me scratching my head. He attempted to explain the process that went into the distribution of the CONCORD ships to Fanfest attendees. Let me go through the article and discuss the items that don't really make sense.
"This is the first mass distribution of rewards of this size and value that we’ve undertaken since the introduction of Alpha accounts with EVE Online: Ascension, and in retrospect it’s now very clear to us that methods of distribution that have worked successfully for us in the past are no longer viable." 
Blaming any issue on the introduction of alpha accounts makes no sense. I received my ships with no problems. In fact, the only problem I had was receiving three sets of ships instead of one. But as CCP Falcon explained later on, that was a feature, not a bug. The only issues I heard of involved people who did not receive ships on all of their accounts due to using different emails on accounts and those, like CSM members and fansite owners, who did not receive their tickets through Eventbrite. In the first case, this year was the first in my six visits to Reykjavik in which attendees received complementary digital items on multiple accounts. That change was not due to the introduction of alphas. In the case of those who did not pay for their tickets, I watch almost every year as at least one fan site owner has difficult with tickets. Once again, a problem one cannot blame on alphas.
"The intention with this distribution of hulls was to offer a thank you to all those who made what is, for many, a long and expensive journey and a sizeable commitment to come visit Iceland for Fanfest 2017.

"Given the delay between Fanfest and the distribution of the hulls, and the fact that these hulls will soon be available more widely, these were awarded on a per account basis as a bit of an extra thank you for the wait that occurred before they were gifted."
What delay? According to the information on the Updates site in December, no delay in the handout of the CONCORD ships to Fanfest attendees occurred.

CONCORD ship information captured on 12 December 2016
On 12 December, the information on CCP's website stated that the Pacifier and Enforcer, "will be distributed after Fanfest 2017, in a summer release." Honestly, I did not expect to receive the ships until August. According to the information available when I purchased my Fanfest ticket, the earliest attendees should expect to receive the ships was June. We received the ships in June.

The second part of the promotion, that attendees receive the ships before the rest of the game, explained why the ships were given out in June.
"The Pacifier and Enforcer, in blueprint copy form, are due to become part of the tiered rewards structure for the second phase of Project Discovery, which is focused around Exoplanets and is scheduled to ship as part of the July 2017 release."
From everything I can tell from reading CCP Falcon's article, everything worked mechanically with the process of distributing the ships. CCP also met all timelines given to Fanfest attendees for when the ships would hit their redemption queues. The only issue involved the handing out of ships based on the number of accounts instead of the historical practice of handing out one set of digital gifts per ticket purchased.
"Unfortunately, entirely on our part, an oversight that did happen was a lack of clarity surrounding the extent that the current issues with Ghost Training would affect their distribution. The community was very fast to point this out and without a doubt, this has been a very direct and fast learning experience for us in this new era where open access to New Eden is now a reality."
If CCP had just distributed the promotional ships as advertised, a lot of player complaints would never have seen the light of day. Or, in other words, CCP would have happier players if they just had done what they said they would do.

Thursday, June 15, 2017

The Ghost Of Somer

"Those who cannot remember the past are condemned to repeat it.

I saw something on Twitter yesterday I couldn't believe. I went to the news channel on the EVE community and confirmed the information. CCP, to use a technical term, fucked up.

The announcement involved the handout of the Pacifier and Enforcer to attendees of Fanfest 2017. CCP Falcon confirmed that the error was intentional.
We’re happy to announce that the Pacifier and Enforcer class CONCORD hulls have now been distributed as part of the Fanfest 2017 ticket purchase rewards.
Those pilots who bought their Fanfest 2017 tickets before 2017/01/01 have been gifted:
  • 1x Enforcer class Recon Cruiser
  • 1x Pacifier class Covert Ops Frigate
Those pilots who bought their Fanfest tickets after 2016/12/31 have been gifted:
  • 1x Pacifier class Covert Ops Frigate
These ships should now be in your redeeming system, one package of ships for each account registered to your email address. [emphasis mine]
Seriously, one set for each account? In the past, CCP gave out one set of gifts to attendees of Fanfest and EVE Vegas to the account used to sign up for the event. I think I qualify as a valid source as I have attended 6 Fanfests and 2 EVE Vegas events. In the interests of full disclosure, I attended Fanfest 2017 and have 3 paid accounts that share the same email address. That's right, I received 3 Pacifiers and 3 Enforcers. Honestly, that's fucked up.

I didn't feel too guilty, because I know my three accounts were on the low end for Fanfest attendees. People who attend Fanfest are a bit passionate about EVE and have a lot of accounts. Think of all the cyno alts, scouts, market, industry, and PI alts out there along with freighter alts and I probably fell within the bottom quartile. And if a player let a number of subscriptions expire, that's okay, as those counted as alpha accounts and received ships too.

The fact I cannot understand is how CCP can have such a short institutional memory. In October 2013, a giveaway of a special ship, the Ishukone Watch Scorpion, by CCP to the EVE gambling site SOMER Blink created a controversy.
"SOMER Blink is a player-run gambling site, featuring micro lotteries where players buy tickets for a chance to win valuable ships and other in-game assets. The tickets are bought with ISK that players have deposited in the system either directly, or as a result of bonuses that SOMER Blink offers to players who purchase EVE Game Time Codes through SOMER Blink’s affiliate program. By all accounts, a massive amount of ISK has passed through the system, with the site recently celebrating 1 quadrillion in ISK prizes won by players.

"In an email exchange with TMC staff, SOMER Blink second in command Andrev Nox seems to confirm that the leaked mail is real. “CCP has been using the Ishukone Scorpions for community site rewards and ingame event giveaways for a while now, with Blink being neither the first nor the last in that program,“ he writes.

"The special edition battleships are not available to manufacture and are rarely given out by CCP. Eighty-one were given away at FanFest as part of the Charity Poker Tournament and PvP Tournament and added to the game as part of the Odyssey expansion. Another was given out as part of a role-playing event and SOMER Blink was given ten to use as rewards. To date, there have been no other public giveaways of the ship, meaning that SOMER Blink employees' private rewards may account for a quarter of the Scorpions Ishukone Watch in the game. The ships tend to sell for 10-20 billion ISK meaning that the gift was worth 300-600 billion ISK.

"The revelations come on the heels of another controversy surrounding SOMER Blink’s close relationship with CCP. In September, CCP announced and then walked back plans to reintroduce the Golden Magnate ship to the game via a giveaway on SOMER Blink’s site. Previously, only one Golden Magnate had ever been created (it was subsequently destroyed). They similarly had to cancel plans to offer new Guardian Vexors, another limited edition ship rarely seen in game."
In the above case, CCP Manifest explained the Ishukone Watch Scorpion was designed as a promotional ship, much like the pirate rookie ships that CCP occasionally gives out. Likewise, the Pacifier and Enforcer are also promotional ships that players can obtain through some means yet to be announced.

I can justify in my mind CCP giving out one set of ships to Fanfest attendees. If the other 99+% of EVE players who did not travel to Iceland have a chance to earn a ship or three, then Fanfest attendees don't really gain an advantage except for receiving the ships early. But if some people received over 150 of each ship, that's an entirely different situation. Will other players have the opportunity to earn 150 of their own? For some reason I don't think so.

Thursday, June 8, 2017

A Quick Look At Buying Legitimate Gold In Guild Wars 2

I started playing Guild Wars 2 again 6 weeks ago. The game is a nice break from EVE, which I needed. I normally need a break after the CSM season and GW2 provided the break this year. I rolled up a sylvari necromancer and hit level 74 last night. I fell into a pattern of doing the personal story when I become eligible and then grind crafting materials and level both my character's crafting skills (tailor and jeweler). Rince and repeat until complete. I think I'll have the personal story complete within the next two weeks. After that, I can return to EVE refreshed and with a different perspective on the game.

Guild Wars 2 is a free-to-play game unless you wish to play the latest content. The game then turns into buy-to-play. I purchased the Heart of Thorns sometime last year, so I don't count as a free-to-play player. Still, I found myself spending $20 because I wanted to expand my bank space. Of all the things that F2P and B2P games offer, extra bank space is what I normally pull out the credit card to purchase.

One thing I've never purchased with real world cash is in-game currency. Not even in EVE. Spending money on gold or ISK never made sense to me, and probably never will. The only reason I have over 2700 PLEX is the mystery code from the two copies of the Collector's Edition I own plus all the Aurum CCP gave out over the years that were recently converted to the new-style PLEX. I guess I should add that I won one of my Collector's Editions in a contest, so only 500 of the PLEX I own were a result of any real world purchases.

Like EVE, Guild Wars 2 allows players to convert real world money into in-game currency through the purchase of gems. But to someone who's played EVE for almost 8 years, the GW2 system is a bit bizarre.

Gem Prices In US Dollars
Unlike in EVE, players do not get cheaper prices for purchasing larger amounts of gems. One gem always converts to 1.25 cents, or $0.0125. Therefore, at the purchasing stage, the player has no incentive to purchase larger amounts of gems.

Where the system becomes strange to the EVE player is the actual exchange of gold and gems between players. In EVE, a player posts either a buy or sell order on the market, someone else comes along and fulfills the order, and a direct swap is made. ArenaNet runs their system a little differently.

Buying gold using gems

The GW2 Official Wiki describes the mechanics:

The initial interface panel displays standard exchange amounts and how many coins or gems are required for purchase. Click on Buy next to the desired transaction to complete the purchase.
  • Gold coin Gold exchanges include intervals of 1, 10, 50, 100, 250, and custom
  • Gem.png Gem exchanges include intervals of 400, 800, 1200, 2000, and custom
  • Exchange rates are determined by supply and demand from players. Since supply and demand affects the rate, the ratio can shift rapidly depending on market conditions, especially when the Gem Store adds new items.
    • The exchange has a supply of both Gems and Gold. When you trade to the exchange you influence the supply of each. The exchange rate is relative to current supply of each. The price changes geometrically as one pool empties creating a better exchange rate for the low supplied currency. The supplies are contained entirely within the exchange.[1]
    • Due to currency exchange inflation, the value of purchased gems has increased over time. Conversely, the value of in-game gold used to purchase items in the Gem Store has decreased.
  • Transaction fee is a 15% fee for trading gems for gold or vice-versa. For example, exchanging 1 Gold coin gives 85 Silver coin worth of gems while reselling those gems returns only around 72 Silver coin 25 Copper coin, resulting in a net loss of roughly 28%.

In other words, trying to make gold off of the ebbs and flows of the market using gems isn't really viable. In addition, free accounts may only perform gem to gold exchanges. Gold to gem conversions are reserved for those who either purchased the original GW2 or Heart of Thorns expansion.

The graph above, from Guild Wars 2 Spidy, shows the large discrepancy between the gold to gems vs the gems to gold exchange rate. The difference in price between buying 100 gems with gold versus selling 100 gems for gold is approximately 10 gold. Needless to say, I don't think people in GW2 engage in some of the same types of market play as happens in EVE concerning PLEX.

I plan on taking a closer look at the Guild Wars 2 cash shop in the near future. First though, I do need to finish up the personal story. I think having the additional experience in GW2 will help perform a more informed comparison between GW2 and EVE's cash shop. Besides, I enjoy playing Guild Wars 2 and I'd like to say I finished the original content for another game.

Wednesday, May 31, 2017

CCP's War On Illicit RMT: The May Ban Wave

A month ago I posted some of the tears I found posted on the illicit RMT site Player Auctions from customers banned by CCP for buying ISK, PLEX, and skill point injectors. But those were just scattered bans in the months of March and April. This month, the tears I captured are different. In May, we have a legitimate ban wave.

The wall of shame
The biggest indicator is the concentrated number of bans. Over the course of 11 days, I found 13 players banned purchasing ISK and skill injectors from 4 different sellers. The bans above are the minimum, as ISK sellers will often bribe upset customers with free ISK in order to either reverse a bad review or not post the negative review in the first place. Also, a lot of buyers don't post reviews, so some dissatisfaction never reaches the public. Finally, PA, while a large site, only makes up a fraction of the grey/black market in EVE Online virtual goods and currency. If the ban wave is truly massive, I only captured a fraction of those caught by CCP's security team.

The other indicator of a wider ban wave is the rising price of ISK and skill injectors. If an enforcement action takes place targeting both customers and the in-game infrastructure of ISK and skill point farmers, prices begin to rise about 2 weeks after the bans begin. Sellers offering the cheapest ISK began raising their prices 10%-20% starting late last week. Theoretically, the price rise possibly was the result of a lowering of the ISK price of PLEX during the same time. But over the past 2-3 days, the cheapest sellers of skill injectors began raising their prices 10%-20%.

Lots of player bans and rising prices. I don't know if the bans are over or if CCP is still rolling up the networks of the illicit ISK and SP sellers. I would like to see a security dev blog come out one of these days just to see what is really happening.

Wednesday, May 24, 2017

Business Fatigue

I have spent a lot of time over the last couple of weeks playing Guild Wars 2. As in, I reached level 36 last night on a brand new sylvari necromancer. I needed to dock up and run around a world in an avatar instead of a ship.

I think the problem is too much of the business side of EVE is reaching into the game a little faster than I like. The first thing that got to me was the PLEX vault. I know, I know, just ignore the thing. But those numbers are so annoying. The solution is simple, really. I need to extract my pilots from their current locations, fly to high sec and stash the damned things in a station. Out of sight, out of mind.

Surprisingly Irritating
The next irritant was the introduction of the small skill injectors. On the face of the feature, I should have no problems. I personally never use skill injectors. I have a quirk that just sees paying money to advance in a game as bad. I don't buy experience point potions in other games. When playing Star Wars: The Old Republic, I took my dislike of XP boosters so far that I didn't even use the ones the game gave out as mission rewards. I do eat food in Guild Wars 2, but if I want an added bonus by eating food, I'm stuck with also receiving a 10% XP buff. At least the buff is only for experience gained by killing mobs.

I even understand the reasoning for the the move. By making skill injectors that hold 100,000 skill points, new characters have an easier time of earning money to boost their skill point gains. Also, lower priced skill injectors are enticing to new players thinking of buying power in the game. A new player may not consider an extra $20 purchase to by 500 PLEX a wise investment. But throwing $5 or $10 at a new game? I know I have done so for a promising game if I need extra bank slots.

What really has me shaking my head is that CCP is expanding the skill injector feature while not fixing a major bug that is ripe for exploitation. While at Fanfest, I heard a rumor about a ghost training exploit. I didn't say anything on the blog because a section of the Terms of Service states:
23. You may not exploit any bug in EVE Online to gain an unfair advantage over other players. You may not communicate the existence of any exploitable bug to others directly or through a public forum. Bugs should be reported through the bug reporting tool on our website.
I won't go into any more details because while the users on Reddit can go wild breaking the EULA and ToS, CCP knows my accounts and I still want to play EVE. I'll just say I don't think CCP should have introduced the small skill injectors until the exploit was closed.

Once I get the disbelief out of my system I'll log in for a nice long mining session. But CCP ... FIX. YOUR. GAME.

Tuesday, May 16, 2017

The Price Of PLEX - An Unexpected Development

The past week was another reminder for why I don't play the markets in EVE Online. Instead, I sat on my hands and made 440 million ISK.

I thought when the conversion from aurum to the new PLEX occurred, the ISK price would go down. Why? Because I thought everyone would race out to cash in their new found wealth. The increased supply would drive down the price. If I sold immediately, I could watch the price drop and then pick the PLEX up at a lower price while making a small profit. Between the 2 PLEX I already owned plus the free aurum sitting on my accounts, I have over 2700 PLEX.

Instead, I did nothing. And the price rose from 1,247 million ISK per one month of game time on 8 May to 1,347 million yesterday.

I'll conclude with the possible effect on the price of illicit RMT. Despite the price increase for two month's game time from $17.495 per month to $18.177 per month that occurred on 9 May, the price of game time still fell 4.2% (60 cents) over the course of the first half of the month. Market forces may eventually relent, but at $13.70/billion ISK in The Forge, some ISK sellers will soon see sales fall unless they lower prices.

Tuesday, May 9, 2017

EVE's Opening Cinematic Videos

With the launch of the 119.5 today, EVE Online receives the fourth opening cinematic video in the games 14 year history. Given that I had a little bit of trouble finding all of them, I thought I'd make a post including all four, just so I can find them again.

Original Cinematic: 6 May 2003

Apocrypha Expansion: 10 March 2009

Odyssey Expansion: 4 June 2013

Release 119.5: 9 May 2017

Just a couple of notes. First, CCP seems to flip between wanting to feature the background story and focusing on the new player. The first and third cinematics introduce players to the lore while the second and fourth focus on the potential of the player. Next, CCP did need to make a new opening since the old one included references to DUST 514. Finally, despite the technical excellence, the new opening video is my least favorite of the four. Really, how can any video compete with Angry CONCORD Guy in the cinematic that CCP just replaced?

Tuesday, May 2, 2017

Illicit Real Money Trading In EVE Online's Alpha State

One of the truisms of MMORPGs is if a game introduces a free-to-play element, gold sellers will come to try to make a profit. EVE Online is no exception. The illicit RMT markets exploded as ISK sellers tried to keep up with the increased demand that began with the launch of the Ascension expansion on 15 November 2016.

Once again I will use information collected from Player Auctions, a site that hosts virtual currency sellers for many games. I record the transactions on the site as best as I can and even post tears when CCP catches the buyers. While not making up the majority of sales on the secondary RMT market, the site is still substantial enough to give some idea of the trends among the ISK sellers.

In the first three months of 2017, sales boomed on the illicit markets for ISK and skill injectors. The U.S. dollar value of sales increased almost 83% from Q1 2016 to Q1 2017. The below graph breaks down the sales by month instead of by quarter.

Notice the contribution of skill injectors to the gross sales numbers on the secondary market? I don't believe the love of skill injectors is just confined to the buyers on PA. Players who roam from one F2P experience to the next are noted for wanting to level up quickly, which is why most cash shops offer experience point boosts. In EVE, the only experience boost available is the skill injector.

The above chart shows the steady growth of skill injector sales while the sale of ISK is relatively seasonal. Even with the introduction of the alpha clone F2P system, ISK sales on PA rose less than 10% in Q1 2017 compared to Q1 2016. The big difference was skill injector sales. In the first three months of 2017, the number of skill injectors sold exceeded the number of billions of ISK sold. While ISK still brings in more money, I think skill injectors have supplanted PLEX as the second biggest thing sold.

One of the reasons for making the post now instead of earlier is that everything in this post may become outdated. One week from today the changes to PLEX and the cash shop go live. I am eager to see the effect of the new PLEX on the market. I also want to see if the change will also bring about more people getting caught buying the item on the black market. People tend to want to purchase the new shiny and I suspect PLEX are a little easier to track than other virtual objects and currency.