Jump to content
Eternal Lands Official Forums
themuntdregger

Enhancing char security through registered ip addresses

Recommended Posts

ppl have a right to exchange their time and effort for money. Hence, even though a char is not player property, a player ought reasonably to be able to sell the irl input that went into its creation

 

On the other hand, the only thing giving any value whatsoever to that input is the time and effort (at not least skill) of the guy that did the game coding, those that pay for the game server on which it runs, as well as the individuals that manage gameplay. Surely their contribution deserves equaly recognition at that point ?

 

And what of the rest of the community of players within the game? If the selling of chars impacts on their enjoyment of the game, then shouldn't their position also be reflected ? In this respect, it needs to be recognised that the effect of 'not inconsiderable' amounts on irl money changing hands in char sales is that it creates a significant potential for criminal fraud.

 

The effect of the latter extend, not just to those involved in char selling, but creates an active incentive for fraudsters to operate in-game. Moreover, in a game where char names act as a proxy for a players irl identity, anything affecting the reliability of the latter has the capacity to seriously undermine social structures and cohesion in-game. In this respect, whether others are misled inadvertently or intentionally as a result if a transfer of char between two players, the impact on the wider community would seem much the same.

 

There's no quick and easy solution to these competing interests. However, something that might help to achieve a fairer distribution might be to use the char ip address as a mechanism to control access to chars. How might this work ? Well, at the time a char is created, players might be given the option to assign a specfic ip address to that char and to restrict certain in-game commands to that address, ie those commands relating to changing the chars password/name. Necessarily further protection could be implemented by extending the options available to players to include restricting play of a char to a single specified address.

 

Ofc not everyone has the benefit of playing from a static ip, hence why an assigned ip address would need to be optional. However, on the basis that a significant number do, the immediate benefit would be to significantly restrict the ability of scammers to take advantage of 'player naivety'.

 

The secondary advantage is to introduce a mechanism that would at least allow for partial control over transfers of chars between players. Necessarily, once a char has its ip assigned, the game's operator is then in a position to exercise control over how it is then passed on, and therefore in a position to impose charges for doing so. On the basis that the main reason for such transfers is irl financial gain, so there would seem a justification for the game's operator to charge accordingly, with the scale being made commensurate with the potential irl value being realised by the seller.

 

However, the overall benefit of such mechanism would not just be a more equitable distribution of benefits between all stakeholders, or indeed preventing abuse of the game and players by criminals, but the ability to impose measures that would reasonably seem to protect and enhance all aspects of gameplay in a cost effective and efficient manner.

 

 

This post brought to you by the Tirun School of PostingTM

Share this post


Link to post
Share on other sites

Erm - is the above for real?

 

I doubt very many players at all have static IP - probably no more than a handful. Would cause much more hassle for devs to implement and mods to change the 'home IP address' for chars.

Share this post


Link to post
Share on other sites

Erm - is the above for real?

 

I doubt very many players at all have static IP - probably no more than a handful. Would cause much more hassle for devs to implement and mods to change the 'home IP address' for chars.

I've seen games that allow you to specify multiple IP ranges in order limit access. That can help reduce the problems for non-static IP addresses. But, five or more ranges may needed by some players in order to cover them, and even then, there is still lots of opertunity for trouble makers to get in. Some places like Poland and Turkey use multiple small ranges of IP addresses, even for one location.

Share this post


Link to post
Share on other sites

I disagree with your post title.

We have character security. It's called a password.

 

 

I disagree with your first statement.

This is a game. A free game. Being paid for your time applies to a job, not your recreational choices unless you are providing a service such as radu does. Do you get paid to ride your bike or read a book? He provides you with a free game. It is not his fault there are lazy greedy people who don't want to level their own characters or feel they should still be able to be #1 even if they don't have/aren't willing to put the time in.

 

My reasoning:

Buying and selling characters skews the game design. It skews what players get out of the game. It skews the respect for other players who actually did the work on their own characters. It skews game design based on who's at what levels. It skews natural progression. (Nothing more irritating than some bought character saying "I'm bored!!11111). It skews the fairness of the game. It skews the fair competition factor between players. As I love to say, you can't buy a chess move.

 

 

As to the scam factor, well...yeah it's a problem but I don't think you can fix greed and stupid, either, no matter what measures you put in place.

Share this post


Link to post
Share on other sites

Also bear in mind that these lists of IP addresses would need to be maintained on an ongoing basis. There is already a need for the moderators to occasionally whitelist characters when they fall into a blacklisted range. What you are suggesting would create more work, even though i note that you are proposing this as an opt-in system. There also is the question of how many people would choose to use this feature.

Share this post


Link to post
Share on other sites

@tork - I had in mind that such a facility could be entirely code driven on the server. Necessarily, maintenance of ip address record would primarily the responsibility of the user, and not something that would seem to require any moderator intervention. Indeed, the only time when moderation effort would seem to arise would be when users pay to change the ip registered against a char. Even so, beyond checking that payment had been received, i'm guessing the amount of work involved ought reasonably to be minimal.

 

However, I agree with your point of there being a question over how many ppl might use the feature. Necessarily it would have no relevance to those players with dynamic ip's. I can't speak for the situation in the US or elsewhere, but certainly here in the UK and Europe, static ip's are fairly commonplace. Nevertheless, if the majority of the player base is on dynamic ip, I fully accept there's little point in expending effort on a feature that most can't use.

 

@Raz - Hope the above clarifies the position re moderator effort. On the matter of 'developer hassle', I guess all development could be considered to present either an incovenient hassle or interesting challenge depending on the nature of whats involved. However, regardless of which, clearly the key issue is whether the potential benefits of a task outweigh the work involved. I'm not sure that extending the server database to record an ip, making the check, or providing the necessary client functionality would create require the kind of effort you seem to think, but i'll gladly bow to anyones greater knowledge on such matters.

 

@Aislinn - Re your disagreement with the post title, yes passwords are an important aspect of security per-se. However, the post (and indeed its title) is intended to allude to issues well beyond the immediate consequences and victims of char loss/theft. In this respect, the argument for enhanced security arises specifically because these aspects are not covered by passwords alone.

 

Re your disagreement with the first statement, I think you misunderstand the point I was making. I strongly disagree with char sales for precisely for same reasons as you. However, whether you and I like it or not, the practical position is that there are currently no structures that allow for this to be effectively controlled. In this respect, the argument for enhanced security arises specifically because it provides basis for you to establish greater control over such activities than you currently enjoy.

 

Re EL being a "free" game, if you accept that the value of a commodity is related to the value of the labour needed to produce it, then the fact that EL chars sell for fairly significant sums would clearly indicate labour by someone. Whether the labour arises for commercial or leisure reasons has little bearing on how others value the commodity, ie if i buy and sell antiques as a hobby, the fact I derive enjoyment from the activity, and engage in it primarily as a leisure pursuit, doesn't lessen the value of my skill or its value to others. The relevance of this to the general issue is that I respect that ppl ought to have the 'right' to sell the product of their labour (be it virtual or real). However, I object to them doing it in a way that doesn't fairly respect the interests of others, ie those who create the game, run the game and, last but by no means least, those who play the game.

 

Regarding the scam factor, yup I sympathise with and understand your position entirely. I hadn't intended the post to relate specifically to immediate victims of scamming, more to highlight it as one of a series of inequities that arise out of unregulated char transfers. In this respect, whilst we might get there by different routes, I suspect there's very little difference between our viewpoints.

 

Edit: typo's (damn swarms of them)

Edited by themuntdregger

Share this post


Link to post
Share on other sites

You give your password you lose your char, as it SHOULD be. This is the very concept of a password.

Of course, if EL were a bank or something, additional security would make sense, but it isn't. And I don't know of any case where an EL password was HACKED.

Share this post


Link to post
Share on other sites

Let me rephrase:

I am not interested in protecting character buyers and sellers, or safely controlling the situation. They are doing something we don't want them to do. The practical position is to STOP DOING THIS.

 

As radu said, the only victims are those who were looking for the shortcut, "too good to be true" bargain, or shared their password to get away with something, or because they are lazy (multi? somebody else leveling them for them? etc). The ONE AND ONLY time I saw a real victim was years ago when somebody stuck a keylogger on his "friend's" computer. That guy is permabanned as well as all his "friends" who tried to sneak him back in.

 

Don't share your password for ANY reason with ANYBODY. Don't buy, don't sell, don't let other people log on your account for ANY reason and there is no problem.

 

It's effort and time to do a lot of activities we don't get paid for. Again, I disagree with the premise you started with.

Share this post


Link to post
Share on other sites

Let me rephrase:

I am not interested in protecting character buyers and sellers, or safely controlling the situation. They are doing something we don't want them to do. The practical position is to STOP DOING THIS.

 

As radu said, the only victims are those who were looking for the shortcut, "too good to be true" bargain, or shared their password to get away with something, or because they are lazy (multi? somebody else leveling them for them? etc). The ONE AND ONLY time I saw a real victim was years ago when somebody stuck a keylogger on his "friend's" computer. That guy is permabanned as well as all his "friends" who tried to sneak him back in.

 

Don't share your password for ANY reason with ANYBODY. Don't buy, don't sell, don't let other people log on your account for ANY reason and there is no problem.

 

It's effort and time to do a lot of activities we don't get paid for. Again, I disagree with the premise you started with.

 

Aislinn - I've posted nothing about supporting char-buyers. I don't like it, support it any way, and I certainly don't engage in it. As far as the effectiveness of passwords are concerned, i'm not questioning the responsibility of players, or criticising the current arrangements. The premise I started with was that char transfers cause issues that skew the game, and that linking chars to ip's might give the game's operator some control.

 

If thats not the case then fine. It was only an idea, and you guys are the experts. The only reason for suggesting it was in the hope that it might be interesting and the slight chance it might be helpful. Sorry if you thought otherwise.

 

PS:Do you think we can now remove the stupid comments that 'someone' in your team has thoughtfully added to my original post. If we're going to have rules here, lets all respect them.

Share this post


Link to post
Share on other sites

The premise I started with was that char transfers cause issues that skew the game, and that linking chars to ip's might give the game's operator some control.

Hmm why do you think the seller would not assign a different (buyers) IP address(es) before selling it ?

That would completely render your solution useless.

Share this post


Link to post
Share on other sites

The premise I started with was that char transfers cause issues that skew the game, and that linking chars to ip's might give the game's operator some control.

Hmm why do you think the seller would not assign a different (buyers) IP address(es) before selling it ?

That would completely render your solution useless.

 

That's a reasonable point. First thing to say is that the feature relies on a static ip. If the ip is dynamic, then there's little point in registering it against a char. Hence, its never going to be a cover-all solution. Whether that renders it useless I can't say. Anyhow, assuming we have a situation in which one player wants to a transfer a char to another, two scenarios might apply:

 

a ) If the transferer has not registered the char then there's nothing to force the transferee to do so and, assuming that he/she doesn't intend to do so in the future, yup I agree the feature is irrelevant.

 

 

b ) If the transferer has registered the char then the password/char name is tied to his ip address. Assuming he's not also elected to restrict the char to being playable from that address, the char can be played from elsewhere, but the name/password can't be changed unless the registered ip is reassigned.

 

If EL was to levy a charge for that reassignment, I guess it rather begs the question as to why anyone would ever want to register an ip in the first place. Well, assuming we accept that there is an advantage to EL of controlling char transfers, that might then justify providing in-game advantages to registered chars. Yup it would distort the game in a way that favoured registered chars, but it would at least progressively knock the bottom out out of unregistered char sales, and might then gradually remove the greater distortion of char buying from EL.

 

However, still not sure how you might deal with ppl on dynamic ip's who would be consigned to a disadvantaged char through no fault of their own. Maybe the latter renders the whole idea junk, but i still think its worth exploring

Edited by themuntdregger

Share this post


Link to post
Share on other sites

If EL was to levy a charge for that reassignment, I guess it rather begs the question as to why anyone would ever want to register an ip in the first place.

Yeah, but how would you "control" this ?

That fee, would just be added to the char price, no big deal for the buyers/sellers. If i was about to sell a char, i'd pay the IP re-assignment fee and just continue like it's done now.

It's not possible to check the reasoning why i want to change my assigned IP address(es). I can imagine zillion valid situations...

Also, a static IP address is really not that common as you would think.

Share this post


Link to post
Share on other sites

If EL was to levy a charge for that reassignment, I guess it rather begs the question as to why anyone would ever want to register an ip in the first place.

Yeah, but how would you "control" this ?

That fee, would just be added to the char price, no big deal for the buyers/sellers. If i was about to sell a char, i'd pay the IP re-assignment fee and just continue like it's done now.

 

It's not possible to check the reasoning why i want to change my assigned IP address(es). I can imagine zillion valid situations...

Also, a static IP address is really not that common as you would think.

 

Nice questions groomsh, thx :)

 

Re "control", yes its inevitable that the market would compensate for a re-assignment fee. However, the effect of increasing costs is usually to reduce the demand. Hence, char sales ought to reduce. Yes some sales would continue, but the skew to the game is significantly reduced, and there's a partial compensation to EL through the income stream.

 

Re "reasoning", yes there's an issue of balance, nope I don't have it all worked out lol. However, on the basis that all char transfers (paid or unpaid) are essentially bad for the game, there's a case for disincentivising all char transfers. However, that leaves us with circumstances where the ip changes but the player remains the same. Clearly there's no detrimental effect to the game from the latter, so no justification to disincentivise. Indeed, it seems distinctly unfair to penalise players in such a situation. However, there's obviously some issues on how we determine a legitimate ip change from a false one thats being used as a front for a char transfer. Here's my thoughts so far :

 

a ) If you make a free ip reassignment contingent on it applying to all a players chars, plus any future ones he creates, its going to be less attractive to a char seller who' intending , to remain in-game simply because he's going to lose all his chars and the ability to make new ones

 

b ) Having obtained the ip address that the player wishes to transfer to, if its already shown on the EL records as being used, it would seem likely that its being used by another player and that a char transfer is intended. At that point, you can then make the transfer chargeable.

 

The above would seem to get round some of the issues and, I assume, would lend itself to being coded rather than a manual system. Alas, it still doesn't get around the issue of dynamic ip's. I'll take your word that statics are not that common, but obviously that puts a serious hole in things lol.

 

Still, thanks for at least being prepared to give the idea serious and polite consideration.

Edited by themuntdregger

Share this post


Link to post
Share on other sites

1. If this isn't going to help character buyers and sellers, then who is it going to help?

 

2. Most IPs are dynamic, which makes the whole thing moot anyway. As does any "opt in" designation.

Share this post


Link to post
Share on other sites

1. If this isn't going to help character buyers and sellers, then who is it going to help?

 

2. Most IPs are dynamic, which makes the whole thing moot anyway. As does any "opt in" designation.

 

1 ) Can you tell me any way in which it could ever possibly help char buyers ?

 

2 ) Yes dynamic ip's are an issue, but whether the whole idea is "moot" would depend on whether there's an alternative way to identify players separately from the chars they control ? However, if there's any point to that discussion, I guess its desirable that ppl understand the purpose of doing that and agree that the benefit is worthwhile ?

 

PS: Politely, and for the second time of asking, can i ask you to remove the remarks added to my first post. Its neither fair or helpful to anyone.

Edited by themuntdregger

Share this post


Link to post
Share on other sites

There's no one else who would "need" protection or whatever you think you're suggesting.

 

Regardless, nobody who would do the work is interested.

 

Edit: The appropriate people will understand this and probably will even get a chuckle as I did. Your accusation is incorrect in every possible way, from method to untrustworthy criminal (it was me! :devlish: Accused of no sense of humor yet show some and look what happens :rolleyes: ) and every bit inbetween. Nobody compromised your account or your password, nobody even knows it. Not even me. Pretty sure your edit button should fix it. Also keep in mind there are size limits to siggies (see the forum rules) and please stop the overdramatized theatrics. Anyone who needed to know knew I did it and really, after all the trolling and spam I've had to clean up from you in these forums, I'm entitled to my bit of fun. Take it or leave.

 

@Zaer: Heh take a chill pill, I didn't delete diddly squat anywhere and certainly you know me well enough by now to know I'll state my actions, discuss them, and stand by them. Although your comeback wasn't any funnier than you accused mine of not being either :P

Share this post


Link to post
Share on other sites

ppl have a right to exchange their time and effort for money. Hence, even though a char is not player property, a player ought reasonably to be able to sell the irl input that went into its creation.

 

This post brought to you by the DoucheTM

 

Are you for real? It's pixels.

Share this post


Link to post
Share on other sites

Does EL track MAC addresses when it tracks IP addresses? I realize that they can be faked as an IP address can be. This would be another bit of record for if a mod chooses to use it. MAC addresses would be a more creditable record than an IP address when it comes to connecting a character to an actual player.

Share this post


Link to post
Share on other sites

Does EL track MAC addresses when it tracks IP addresses? I realize that they can be faked as an IP address can be. This would be another bit of record for if a mod chooses to use it. MAC addresses would be a more creditable record than an IP address when it comes to connecting a character to an actual player.

It's absolutely trivial to spoof a MAC address. Also this would not take into account the situation where one player uses two or more PC's (and therefore multiple MAC addresses.)

 

The following link is worthy of some pondering.

 

http://en.wikipedia.org/wiki/Security_theater

Edited by tork_unib

Share this post


Link to post
Share on other sites

Tork, the question is "who is it trivial for?". Some people are so un-skilled with a computer that they couldn't defrag their hard drive under Windows.

 

While for some people, it may actually be trivial to spoof an MAC address, they would have to know what MAC address to spoof.

 

If a person only uses 2 PC's and a laptop for X months/years and then a 4th MAC address shows up, that could be considered suspicious. Mods might not want to have alerts go off whenever they see a new MAC address show up (because someone used their mom's PC) but it could be valuable evidence if something happens that brings that person under a spot light in the first place.

 

Multiple usernames using the same MAC address to play could be read as a significantly high likelyhood that the two usernames are related somehow....that they may have been accessed from the same machine or router, perhaps.

 

Let's compare a MAC address to a license plate on a car. A person could steal your car and drive it through a red light and get caught on camera. It might not be you behind the wheel, but if the plate looks like it is yours, the cops will come asking you about it.

 

If you can get more data to use in a case, you might as well capture it. A MAC and an IP address (or perhaps IP trace route) are both useful bits of information.

 

While I doubt people would want to constantly monitor or register MAC addresses or IP addresses (or ranges), I see no problem with recording them for later reference.

Share this post


Link to post
Share on other sites

Tork, the question is "who is it trivial for?". Some people are so un-skilled with a computer that they couldn't defrag their hard drive under Windows.

 

While for some people, it may actually be trivial to spoof an MAC address, they would have to know what MAC address to spoof.

 

If a person only uses 2 PC's and a laptop for X months/years and then a 4th MAC address shows up, that could be considered suspicious. Mods might not want to have alerts go off whenever they see a new MAC address show up (because someone used their mom's PC) but it could be valuable evidence if something happens that brings that person under a spot light in the first place.

 

Multiple usernames using the same MAC address to play could be read as a significantly high likelyhood that the two usernames are related somehow....that they may have been accessed from the same machine or router, perhaps.

 

Let's compare a MAC address to a license plate on a car. A person could steal your car and drive it through a red light and get caught on camera. It might not be you behind the wheel, but if the plate looks like it is yours, the cops will come asking you about it.

 

If you can get more data to use in a case, you might as well capture it. A MAC and an IP address (or perhaps IP trace route) are both useful bits of information.

 

While I doubt people would want to constantly monitor or register MAC addresses or IP addresses (or ranges), I see no problem with recording them for later reference.

 

Responding generally to your post, for the most part i agree with the points you present.

 

The main issue in discussion for me, is whether having this information enhances security. I don't believe that it does. However when the time comes, it may well yield a bigger mop with which to clean up, it may better help to establish the sequence of events etc., so the points have validity.

 

My major concern is the same person you reference at the start of the post - the everyday user who has little or no interest in what a defrag is, or why you might want to do it. This person is exactly the type of person that I support in my day-to-day worklife, and in my experience that type of person could care less about security. When you tell them that using 'password' as their password is no longer acceptable, and they must use a mix of upper/lowercase letters and numbers, they will generally swich to 'Password00' and think of themselves as being secure.

 

In a similar vein, I would forsee people opting in to themunt's envisioned 'trusted ip' scheme, and thinking that this now secures them sufficiently that they can tell everyone their password.

Share this post


Link to post
Share on other sites

Well, tork_unib, lets hope that nobody starts doing such silly things as sharing their passwords and that the MAC addresses start getting tracked without much notice by anyone so that things are still as secure as usual, but there is more info for the mods.

Share this post


Link to post
Share on other sites

I am following this thread for a while and I remain with an unanswered question... What for?

themuntdregger made the post with an idea to help prevent character theft and password cracking and give Radu a little bit of ability to control character sales. I mentioned tracking MAC addresses mainly for the purpose of giving mods more info to work with, but doing that would also give Radu some ability to control character sales and further prevent character theft.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×