Info on Security from an IS Security professional (re: Bots)

Read all 95 posts and catch up on the conversation.

The only variables a script developer can program is a timer (pause) between actions, but they cannot actually randomize the actions, because Lost Ark makes you go from Quest NPC 1, to objective, to Quest NPC 2, etc. Real players won’t do those things exactly the same way a bot does them (time is not considered). The overall actions of the real player will deviate, the script, running on multiple machines, will be the same series of actions. It’s pretty simple, the Lost Ark developers just have to choose what series of actions they want to analyze. The bot script programmers will never know what actions are the suspect ones, because of the delay I baked into the idea in the OP.

i got the feeling that you dont actually have any idea on how programming works. i can randomize the actions easily. i could add RNG dependent playing emotes between quest points for fun, let them dance a few times out of a hundred, can let them collect mokokos around on a few, but only some and not all, i can let them wait and do those temporary quests on some but not on all.
all this takes literally no work at all. i can make a whole catalogue of actions and let them pick some randomly or not. im quite convinced that you dont actually have any idea what you are talking about.

and just to make this clear, i do program AI for videogames, so its not like i dont know what AIs (bots) can or cant do and what is easy to implement and what not.

Cool story bro. And the SECOND any two of those virtual machines roll the same RNG as each other, they get banned. Also, good luck farming enough gold to RMT when your bots are /dancing and doing side quests for 10 Providence Stones. ROFLMAO.

thats the answer i expected from an imposter

thanks for showing everyone that i was right and you clearly dont know what you are talking about, neither about IT security, nor programming / botting or the game as a whole.

HAHAHA… okay

its not like you have been wrong every single time on everything you said cos you dont know programming.
“And the SECOND any two of those virtual machines roll the same RNG as each other, they get banned.”
OP doesnt know statistics, nor that the chance of them hitting the same “RNG” as a normal player is there as well, which in OPs case would get the normal player banned. but yeah, no problem, right?
" Also, good luck farming enough gold to RMT when your bots are /dancing and doing side quests for 10 Providence Stones."
clearly OP doesnt know the game, or botting in general. an undetected bot that needs twice as long to level but is undetected for months instead clearly is worse than a bot that gets detected after a week. OP has it all figured out

im done with this pathetic imposter lol

maybe you should educate yourself on the matter before talking, or at least turn on your brain for once. but good that you said im right. thats at least something. i bet you didnt even notice it.

or you just add 2fa and add a capcha. if the server isnt given the code and capcha, it blocks login and flags the account and ip.

Also if you really wanna get nuts, add capcha puzzles to the quests along the way to filterout/confuse bots

^I wanted to write a serious comment why this is so off it’s beyond my comprehension how someone can even think this is a good idea.

But then again it’s probably not worth the argument xD

It’s ok dude. Not everyone is a software developer and can understand the idea in the OP. Don’t feel bad, I’m sure your job is cool and all, but it doesn’t qualify you to even talk on this subject (as is obvious from your lack of understanding.)

You clearly don’t understand how RMT companies work. They aren’t going to be able to bypass the system I designed, because they have no ability to figure out what it is. Just because I posted it in this forum thread, doesn’t mean that in the game you can find out how it is actually working. That’s the entire point of the delay. It makes the system impossible to figure out for the script developer. You can’t circumvent it because you have no idea what it is doing. You only know about it because I posted it here in this thread. There would be no such detail given by SG when they decide what to actually implement.

Dude, assuming it is not a copy pasta, you made a gigantic op trying to explain simple pattern recognition and asynchronous tasks to a publisher/ game developer… Not sure if you are trolling or actually sitting on that high horse of yours.

just give everyone unlimited gold and remove endless chaos dungeons
all bots will disappear

problem solved.

genius idea from an internet professional

he is clearly a troll that has never written a line of code in his life. dont pay any attention to him lol

OP You sound like a student/entry-level code developer. You could have applied to work for AGS if u had the required skill… if u want to bring ur “qualifications” to the table then you should post a porfolio, but kinda pointless to do d size measuring on the forums.

Now let me explain why u sound like u have close to 0 experience, beside the fact that ur explanations sound like they are copy-pasted from a course.

Let’s start with the obvious.
Client-side security is used to deter the “amateur” level “hackers”, if they can even be called that. A quick 10 minute google search will provide you with the knowleadge and tools to bypass any/most client-side security, however its enough of a deterent for over 90% of the population, hence why its used and constantly updated.
Server-side security, it’s not that hard to have the server run all the values, however this needs to be done in the development stages and MORE importantly most of the population playing games do not have the connection required for a smooth gameplay experience for the amount of information that needs to be transfered in this case, and when it comes to that is arguably better to have worse security and better and smoother gameplay experience. The technology will catch up and we will eventually have everything server-side, but it will take a few more years.

Now ur solutions are amateur level at best, and from my point of view seems like u are someone that doesnt understand game development.
The 2 most reliable ways to deal with this is:

1. Having GMs that actively track and ban bots, which i believe its the best way to go about it at this time.
2. Having analog AI learn and apply the appropriate measure, but they start with 80-90% accuracy rate and it takes them quite a bit of time to learn and even then they only near 98-99% accuracy rate which will results in tens of thousands of false positives, which might work for a small bussines but does not work YET in the gaming industry. And i shouldnt even mention the extremly high cost of setting up analog ai’s.

All other solutions are just bandaids that will most likely waste more resources then they actually save. OFC excluding easy solutions that dont take many resources to implement and work as a deterent for most of them, like easy-anticheat or spam blocking and stuff like that.

Now even with the best security in the world as long as there is a connection, there will be someone with the skill to bypass that and gain access to the server, the only problem is that most people with such a skillset will not do it. It’s not worth the hassle especially for setting up bots that make less money even when set up then they usually do by having a job in this field, and thats what it boils down to money, why would u make money illegally when with less work u can make more money in a legal manner.

The issue is that they dont seem to care …

As I said earlier (might be a different thread, I think), I could not afford the cut in pay to work for a game company, and they couldn’t afford to hire me.

I think most of you white knight types defending Lost Ark (or really, any online game with a bot problem, since this thread isn’t really all that specific to Lost Ark, generally speaking), are so utterly unqualified to even talk on the subject. You can’t, for one minute, believe that a Script which is optimized to play Lost Ark characters through key quests (to ultimately obtain gold for RMT) or to farm valuables to sell on the AH (also to obtain gold for RMT) are going to be able to outsmart the game developer who knows how their game works at the code level.

You folks also seem to be oblivious how an online game works. TL;DR here, but the client on your PC communicates constantly with the server, and the server is already performing validation on everything the client sends it. If pattern recognition was easy to implement, then SG would have done it. As someone early on in the thread said, LA is built on Unreal Engine 3, which is fairly old, and it is likely SG did as little custom work as humanly possible to create Lost Ark, which is clearly obvious in their choice to toss Easy Anti-Cheat on the game and call it “done” for cheat protection.

Can SG even implement a better anti-bot solution given UE3? No idea, admittedly. Maybe they can’t. Maybe they tried earlier in development, failed to get something working, and “resorted” to EAC due to time constraints. I have no way to know what SG did or did not do or try to do. I also have no idea how experienced the studio’s dev staff is. Creating games in something like UE3 is a particular skillset, and those developers might not even have the experience of native client/server development, for all I know.

All I can do, as a player of the game, is suggest a better way to stop the bot problem. SG/AGS might never even read this thread. They might, and ignore it (per other posters comments.) They might read it, but they (as I said) already tried to do this but couldn’t get it working. Or they might not be able to do anything due to UE3 limitations on their ability to customize the application. Doesn’t mean I shouldn’t post better ideas on how to stop bots than “use a government ID”, “use captcha”, or “use 2FA”. Those have been posted many times. I am sure they read about those ideas. I have no idea if they considered this one. You might be the type of people who say “Bah, why bother” or “I bet they already know, so I won’t say anything.” Cool, you do you.

But don’t pretend you know anything about client/server development when you clearly don’t. Don’t say “this idea won’t work” without posting a specific issue I might have not actually considered (wow, imagine that, I might have missed something you thought of! OMFG is this an internet forum for discussions? GTFO!) But if you wanna be negative, you get what you give, so what do you expect?

IS/IT guys are the mall cops of tech, by the way.

This is what I meant when I said “Don’t post if you know nothing about the subject.”

(from the article)
" Information Security Manager Salary, Cyber Security

Information Security Managers top the list of highest-paid cybersecurity jobs with an average salary range of $150,000 to $225,000."

or you know, remove gold from the game, as it serves literally no purpose other than to fuel rmt. Pick 1 fucking currency and stick with it, like every mmo since existence. Silver is easily obtainable for players. It should be the only currency

how to tell me that you have no idea how game dev works without telling me you have no idea how gamedev works
maybe tell us how many games you developed in unreal or unity or any engine for that matter.

This is not true at all. Actions can be randomized from Quest NPC1 to NPC2 to mimic that of players, not just about timer.

I don’t know where you think this is a good idea and classified people as “not-knowledgeable” when a lot of people here did show you the limitations/flaws in your proposal.

No they wouldn’t because of the associated cost. This is not a tech or skill problem and never was, it is an economic one, which should be obvious to anyone with experience in the field.