Tranquility is back online. The Internet gank perpetrated by LulzSec (EDIT: or whoever, I used LulzSec because they’ve done it before though they are currently status unknown – however a whole book could be written on that assumption) has been stopped. Entertainment at our expense is over. But was it ever about just entertainment?
I’ve been an IT professional for two decades, since my first career crashed and exploded. Over time I have earned many security credentials. As all good white-hats do, I’ve delved into the dark side of my profession. As Sun Tzu admonishes,
“If you know the enemy and know yourself you need not fear the results of a hundred battles.”
What I have learned is that such attacks are never done simply for lulz. Lulz are not enough. To make such an effort requires a real pay off. But it does not surprise me that (EDIT: groups like) LulzSec (EDIT: that last for those who can’t read between the lines) would want us to believe otherwise. Sun Tzu also states,
“All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”
These folks are smart; in some ways probably smarter than I am – or at least more devious. I am sure they too understand the Art of War. So I also found as no surprise this paragraph in CCP’s official statement on the DDoS attack.
“What we can now confirm is that a person was able to utilize a vulnerability in one of the back-end services that support the operation of the Tranquility server.”
So the point of the DDoS was to cover the attempted hack of a zero-day vulnerability in the CCP back-end. That’s confirmation in this business that it never was about just lulz, though I’m certain a few were had by someone. But I have a more important question burning in the back of my brain. Why the attempted hack in the first place? That’s a helluva escalation. Escalation of what you ask? The war on bots is what.
My experience with black-hats tells me it always boils down to money. When it comes to online gaming, the illicit money is in RMT. The people who write the bots that gather the ISK know enough to wear black-hats if they so wished. Did they wish to at this time? I can’t help but think this might be an indication of some desperation in that camp. If true, it’s a brazen escalation of the current war on bots. Still, it was inevitable I believe.
The new login system can only have one purpose to my professional eye. It’s yet another weapon in the anti-bot arsenal. If it’s now more difficult to login as a thinking human, you better believe it’s even more difficult to automate. I see the new launcher as a successful means to that end. By separating the login from the client, it requires two dissimilar sets of code to manipulate. It is in effect, two-step authentication. You must log in and you must have a valid client. Client checking is now done at stage one, the login. We already know CCP has ways of detecting an altered client. Before the client even starts, it must be valid. There is no hacking the client to intercept the result and alter it. Open DNS error returns on launcher failures lead me to believe (it’s a job thing) any attempted manipulation of the new launcher would be far more detectable than the older client. It’s double jeopardy. Touché CCP.
I can easily believe the bot masters would do just about anything to access the code for this system. If I were them, I’d want to know exactly how it worked – or have a way around it. Is that what happened here, an attempted end run? I’m sure there are those who really know but I am only making conjecture. Still, it’s what I would do if I wore a different color hat. I think skirmish one goes to CCP. But make no mistake, this was only one battle. The war is far from over.