My regular feed of the “RuneScape” search results on Twitter (very useful feature TweetDeck), provides an insight into the types of reasons that unsuspecting (read: guilible) users might encounter that lead them towards lack of account security/computer issues.

‘Edit your RuneScape stats through a glitch’

was the latest to make it’s way across the feed.

Now I’m not stupid. I know such a thing doesn’t exist. If it did, there’d be a lot more than 400 ish people with 24 99s. It would be complete chaos

So I downloaded the file. It’s always nice to see the attempts that wannabe-black hats are making to try to steal accounts. Information is power.

Immediately, before I even had so much as a chance to set AVG on it, the ResidentShield portion of AVG jumped in and chucked up a warning. This is nice because it proves that the software is actually behaving itself and doing useful stuff. A nice secure test of my AV-solutions.

So what was there:

Worm/Agobot.HEY apparently

Turns out it’s a particularly nasty little beast. http://en.wikipedia.org/wiki/Agobot has the details, but in short it’s

• A Botnet
• An auto-updating keylogger, packet sniffer, DDoS launcher and more
• It has a portscanner and a rootkit installer
• It harvests emails, product keys and passwords
• Can include a mail client to spam everyone you know
• Can include a HTTP client to initiate click fraud and DDosS.

So don’t just randomly download RS tools because you want to be powerleveled through a glitch or get 9M. It doesn’t exist. These are nasty little counterfeiting attacks that will compromise your computer.

Currently I’m looking to Mediafire to take this particular nasty down.

Mod Chris E posted an in-detailed explanation (following Mod Nick’s short evaluation of the problem that occured). I re-post it below, followed by my take on the situation.

“Perhaps I can explain a little more why we couldn’t release the game content this week, even though the problem only resides in the game engine.

When we build our Release Candidate (RC) build of the game ready for next week’s update, we build/compile all the content (scripts, models, graphics etc) against the RC build of the game engine.

In this case, we have been building a new engine version for the last two weeks with numerous new features and bug fixes. At the end of last week, this was ready so we pushed it to RC. We then built the game content against it ready for launch this week.

On Monday, during final compatibility testing that we do every week, our QA team noticed a problem with some Intel chipsets and HD. At this point, it meant we couldn’t do what we call a ‘Content Only’ update, because the content was built depending on the latest version of the engine, and wouldn’t work on the engine currently running on the live worlds.

Whilst rolling back the build systems for the engine and content is possible, it would have taken so much time that we probably wouldn’t have been able to release the content this week anyway (and besides, some of the new content relied on new engine features!).

I’m pleased to be able to say we have resolved the Intel issue (although our HD developer has been tearing his hair out most of the week!), so hopefully you will see the update early next week, barring any further problems. “

Perfectly logical and justifiable. Having worked in a company with multiple builds which incremented each time, I can understand the problems you had here. I was not at all surprised that it was a game engine bug.

I remain intrigued as to why the Intel chipsets had a specific problem from a CompSci point of view, clearly your work here is on a much lower level than I expected (normal Java-OpenGL work doesn’t involve chipset specific coding to my knowledge).

I’m still wondering what portion of the audience this affected – to quote my post from Qeltar’s thread:

“It’s difficult for anyone to accurately analyse the possible effect of the update on the number of users affected unless you have the data on your users. Jagex clearly do have this data.

One specific chipset on one operating system, which itself has a maximum of a 22% general market share in December 09, would seem like a bad reason to delay an update in my opinion.

A few things differ however. Vista may be more common on the RuneScape user base than in the general public. This is difficult to argue for – there’s no specific reason it should be.

The main factor however is that despite the wide range of actual hardware, the relative popularity of specific chipsets (for example the Core 2 Duo family) coupled with the fact that it may actually be multiple highly related families (I’m not entirely sure what the incremental changes are on differing chipsets and it’s stupid to try and speculate), of which only one they have the resources to test (they probably don’t have 1 chipset from each Intel processor family), means that it could be a larger than expected proportion.

So there is the possibility that it affects (given the dominance of Intel these days) upto and maybe above 20% of their market, it’s hardly surprising that they decided to wait.”

This post forms a response to Mod Chris L’s following answer on the RSOF:

Why wasn’t this done before release/done so quickly post-release?

The potions were tested and balanced beforehand to a degree that we were happy with their effects. It was only after monitoring combat post release on a large scale that we could see the randomness of hit chances had been effected in a negative way. With the increased numbers “under the hood” so to speak, the randomness of hitting vs not hitting in a fight between differently buffed players had tilted in a direction we didn’t intend. As a result, more players may have lost an unfair fight from the start. This is something we will look to rectify in the future with the combat system changes.

~Mod Chris L.

Response
Ok, so that’s quite a long post. I’ll pick out the important part:

“It was only after monitoring combat post release on a large scale”

Right, so you needed the data from a large number of players before you could do the statistical analysis.

But this is wrong.

There are only 171K with level 60. By the time you reach the new potions at level 88, you are at under 10K.

The typical response is:

“But we don’t have 10K testers”.

No you don’t. But you don’t have to do it at the same speed as them.

Here’s how:

1. Define the test

You are testing the combat system. You don’t need communication, or graphics. You don’t need interfaces. You are concerned entirely with a numerical analysis of the random probabilities affecting herblore potions.

2. Build a testing rig

Granted this is quite an expensive (dev time) process. But it’s reusable. You can have a single rig for the combat system.

This is quite an involved process. Basically you need to pull code from the RuneScape engine and build a client that simulates a number of players in combat.

3. Next you need to realise that it can be sped up. This is critical.

1. You can run the tests maybe 500 times faster than the players.
2. You can run lots simultaneously, because it’s just number generation. As you have removed the graphics, the system drain is small. A single computer might run 8 or 9 simultaneously.
3. You don’t need to even watch it.
4. You can feed in a list of weapons and armour and potions. The system can be programmed to use them at random or at a specific point. It can run 10,000 tests and give you the data analysis.

Summary

This system would generate large amounts of data. It would completely destroy the argument generated by Chris L. It’s a reusable, simple, analysis tool that would enable almost instant feedback on a piece of content.

Names. They are personal and vital. They form a method of grouping and sorting, organising and collating.

The ability to change names is therefore a difficult topic. People change to move away from an existing persona. But others want to maintain the connection.

Companies have long used name changes to rebrand the company, seeking to remove the connection between the company and an errant decision in it’s past. Usually it works after a certain time.

Identification means limiting the numbers who can have a single name. Ideally this should be just 1. But nobody wants a name that’s so obscure. Number Plates are a key case  where people pay for a specific combination.

Companies also often want to ensure no-one copies them. Identification is key here. But how similar is it and what gives you the right to reserve a set. All are unsolved questions. Domain names have been a recent area for this. Reserving all domain names is impractical, there is room for the squatter to pick one in the hopes of earning a quick buck.

Jagex released the name changing feature for RuneScape. Seperating Display Name from Account Name, obscurity providing some security perhaps. Both are still unique, so the ‘namespace’ becomes increasingly congested. Former names are reserved for atleast 28+7 days, current names must be held for atleast 28.

With the addition of reserving the top players and those who would be targets (moderators) as well as the existing reservations applied to the system to prevent Jagex Moderator impersonation, further limits are applied to the crowded namespace.

A plan to reduce congestion was not to give long-time inactive accounts their display name automatically. So the cybersquatter was born perhaps. In reality however, given that early growth was of the order of exponential, few names were released.

Facebook had a different plan. Given they use e-mail signups, the username (which is used to create a ‘Clean URL’) was simply released. Cue massive load as people reserved their name.

Jagex also suffered this load. It crippled the server for about 7 hours. Few companies seem to appreciate the actual demand at point of entry for these systems. A name is so short and yet it means so much for us. Names are precious and one of the few ways we can be identified on a personal level.

Hopefully, namespace crowding will become less of a factor if Jagex move to e-mail signups.

E-mail is a good method of ID, because it allows the web to secure itself as it long has done. The interconnected nature of the web is it’s greatest strength.

The other possibility is to move to OpenID. While this is nice, Jagex has always been pro insularity and so I don’t see this being very likely.

Well, every day seems to bring something new, so here’s the low down on the Security Key.

What is it?

It’s a stick containing cryptographic software and a small processor. It also will probably have anti-tamper  devices and other related security features.

What does it do?

Simply put it adds an extra dimension of security. Instead of just knowing something, we can also assume you have the item as well.

What will it prevent?

Password scamming will reduce as it will require a much more advanced process to comprimise your account

Does it mean I’m totally safe?

No. Firstly you must keep the device to yourself. If other people get it, you may be unable to login and they have 1 peice of the puzzle and need only your password to get on.

Secondly, complex fake clients could present a fake RuneScape while using the data from the stick and your password that you enter to login to your real account. They could then do whatever they liked while you were ‘logged in’. This can be done via a fake website that you visit and play the game on or a complex trojan which manipulates the real client.

http://www.schneier.com/blog/archives/2005/03/the_failure_of.html for more details on this.

Is this Jagex’s first foray into RWIT and if not what’s with the bankspace?

Jagex have been one of the strongest disclaimers of micro-payments and RWIT. So why are they offering in-game advantages?

Simply put, Jagex believe that few people will want the device on it’s own. People will assume their account is safe and when they are hacked, then they will wonder whether to purchase a key. By then it’s too late.

If they offer an incentive, maybe people will buy the key saving Jagex time and money later.

It’s also worth noting that no-one considers members RWIT, but it offers similar advantages to they key.

Isn’t this some huge scam to make Jagex money?

I don’t think so. These devices typically cost £25 – £50 . We are being offered them for considerably less than that. Jagex can afford this because, if people take up the device, the likelyhood of them being subject to account fraud is far lower. So that reduces Customer Support costs.

If they can offer bankspace now, why haven’t they increased it before?

Bank space costs server space. Firstly the master servers that stores all players details needs extra space to store the record of the items. Each stored item takes two numbers to store – the item code and the number of that item. The numbers are probably a byte in length at least. With 380M account created – each of which could use the extra space, each bankspace corresponds to an extra 362 MB of storage space at minimum.

The front-end servers will also need more memory and storage space to ensure continued quick access of the account. It will make a small difference to bandwidth usage and data transfer – all of which needs to be optimised to ensure good game-play for low-end systems.

Mod Tom S tells us about the server upgrades recently. I don’t think it’s a stretch to say this upgrade was important for this sort of future update.

Even while I was playing people were reporting the loss of huge sums of money from the mini-game. Now 99.9% of the time this is either user stupidity (not seeing it in returned items) or simply lying. However, the result of this has now been felt by Jagex. They have fallen into the crying wolf trap.

Exile 35, posted that he had lost 350M. Now that’s  a staggering amount of money. It’s months worth of work at best, typically years, depending on your focus.

The following are the posts by  Mod Mat K

Post 1

Mod Mat K

Jagex Mod

08-Jul-2009 16:54:39

Now, if I decided to check all the people that claimed to have lost stuff out and see whether they had, what percentage do you think would be telling the truth.

Knowing that the original poster is talking twaddle, I think it would be very low.

´°º•‹.Mat.›•º°`

Mod Mat K

Jagex Mod

08-Jul-2009 17:01:29

I know you didn’t lose it Exile. I know more about your account than you do.

´°º•‹.Mat.›•º°`

Mod Mat K

Jagex Mod

08-Jul-2009 18:14:06

I’ll be the first to admit when I have made a mistake. Please accept my apology Exile and thanks for pursuing the issue.

Mat.Mod Mat K

Now, if I decided to check all the people that claimed to have lost stuff out and see whether they had, what percentage do you think would be telling the truth.

Knowing that the original poster is talking twaddle, I think it would be very low.

´°º•‹.Mat.›•º°`

Post 2

I know you didn’t lose it Exile. I know more about your account than you do.

´°º•‹.Mat.›•º°`

Post 3

I’ll be the first to admit when I have made a mistake. Please accept my apology Exile and thanks for pursuing the issue.

Mat.

Conclusion

I’m sorry Mat. I respect you as a member of Community Support. But you just broke the number 1 rule. You should NEVER claim the customer is wrong without evidence. The assumption is always that they are right.

By doing as you have, you make CS look like ‘look before they leap’ braggarts. You insult the very nature of the CS discipline. You destroy in a moment any ability for Jagex to appear as if they read reports and appeals. You make it look like the mostly automated system you say it’s not.

Now there’s other complaints about MA. 3/4 of the scenarios are broken. The priority level system was shown to fundamentally flawed by introducing a maximum of 3 priority. The combat triangle is probably not as strong as desired. The number of games for Level 2 (50-100) is absurd. The pay off is small.

It’s been in development for 18 months. I don’t buy the ‘you test more in 10 minutes argument’. People do very similar actions to one another and the items lost glitch should be obvious to any bug tester. Clearly for example, a low max priority is a stupid idea.

Personal

On a personal level, I’m not doing bad. I’ve been suffering from internet loss, but am still woodcutting Yew logs. It could be faster – hopefully when I can afford a D hatchet, that’ll partially solve that problem.

The third Mobilising Armies post today. Heh, sorry if you’re not a fan but I’m trying to do stuff in depth. Other stuff (like merch clans & 26k) will come up later, I’m sure.

Onwards.

Played through the tutorial – style of such is very similar to the Soul Wars one. Kind of hard to work out, it’s not particularly helpful in instructing you during the early stages. Often if you miss some of the text between the humour (ARMS ), then you get stuck.

The lack of drag select (common in strategy games) is really frustrating at times, 10 units is kinda hard to manage without group select. It’s a result of building a game within a game I suppose.

The use of junk items as investment is inspired, although I couldn’t invest my willow logs which were ‘wanted’ at the bottom. Not sure what’s going on there. Once that clears up I’ll be back because I’ll have stuff to buy troops with! Also, not sure if you can, but noted items should be investable – helps remove more.

Graphically I have no problems with MA. Really want to get some of the uniforms, but as said that will have to wait. I lost my first game so could be a while! Got no credit either, the -3000 from time killed everything. Is that cause I lost.. Not sure.

Seemed to be very busy, though everything is on release. Hopefully it has staying power – I know I’ll be back, because Zaros knows we have enough abandoned mini-games!

For the moment I’m returning to Yew trees to make some more money!

So the most anticipated update since…the last skill probably… has been launched along with tons of content. Lets see

• 3 Scenarios
• 10 Unit Control
• 3 Races
• Junk Usage!
• Special Units
• Uniforms
• Imbued Rings
• Interface Changes
• Zanik’s Crossbow Upgrade
• Choice of Sitting Positions
• Notes
• Area and Teleport Changes

I’ll be posting an indepth review on most of these when I ‘field-test’ the content

Well it was inevitable I suppose but still caused red-hot flame in Recent Updates when it happened.

After Mod Knox posted a post saying ‘we’ll be updating bar problems’ the RS community who’ve been waiting since around last year for this minigame expected it to be out yesterday.

So by 4pm people expected it to be out. Eventually on a post called ‘How late is too late’ Mod Emilee responded that it had been delayed to due to engine tweaks.

Yeh. So Stormy Times makes a few more sarcastic threads about how Jagex fail and SteveW is forced to lock ‘Mod Emilee is HOT’, a response to the ’shoot the messenger’ syndrome.

Meanwhile more people rant about how the updates are mainly announced on Twitter rather than the forums and so on.

I was actually not suprised, lets face it, anyone who’se seen this project knows it resembles more like Duke’m Nukem Forever every month, so a delay last minute is not a shock. So I posted (redone for your entertainment), a parody of Elton John’s “Sorry Seems To Be The Hardest Word” – a double take cause Jagex never apologise.

It’s sad, so sad
It’s a sad, sad situation
And it’s getting more and more absurd
It’s sad, so sad
Why can’t we talk it over
Oh it seems to me
That MA seems to be the hardest word

If it’s released, expect to see me gunning for the rewards. If not, well we can always play Kickabout League While I wait on RuneScape however, I’m slaying Hellhounds having finally switched to Sumona.

EDIT: I should point out I’d much prefer a fixed update to a fine one. I just think that Mod Knox needs be a little more cautious in telling people and the RS community needs to calm down

I have just noticed that my last post showed me reaching 68 fishing and was posted on the back end of last holiday. This means I gained 19 levels during the course of a term in addition to an unknown number of cooking levels. I would be extremely pleased to do this in mining, as 87 mining would be Runite. Mining might be a little slower, but I can hope.

Additionally, it is worth noting that I ‘could’ simply power mine and have mining done in a matter of weeks. However, the net loss in smithing exp and money means this isn’t a good idea. This is a clear example of a situation in which a pure in a single skill is far quicker. Given my goal, this isn’t feasible.

Another event which has occurred is the holiday event. Given that I was on line at the time it was done in the first 5 minutes =).

PS: Yet another post will follow detail running stuff! I thought it a good idea to separate it out.