Clearly none of you are software developers.

No developer wants you to post exploits or vulnerabilities in their software anyplace that the average idiot has access to it. You are not helping, you are creating crisis-work for them. Instead of working on "x feature" today, some guy / gal is working frantically to hotfix whatever bug you posted on mmo-champion before everyone starts doing it. Had you reported it quietly, they could have analyzed whatever caused the issue and fix it more appropriately but now they have to slap an industrial sized bandaid on it and hope nothing else breaks. "LOL I discovered a buffer overflow in phpbb, thought you should know it's on line 455 of post.php". <500 idiots go make a zeroday rootkit and hack someones forums>

If you want to help Blizzard improve their game, then send them emails with explicit instructions on how to replicate cheats or exploits. This thread is nothing more than a guerrilla war attempt at getting some issues fixed that certain people might find unfair.

You really want to help? Then tell Blizzard privately. Stop this net-nanny exploit terrorism and don't post anymore exploits.

One point is actually knowing what kind of exploits exist to be able to report them. This stuff is reported on closed forums or at least advertised.

Put "cheat world of warcraft credit card" in google and you get 691000 links to click. Some of them will most likely contain very specific information and not just frauds. At the moment exploits are a benefit for the few, who are actually able to know how to find them und how to use them in a way their main accounts won't be banned.

Perhabs it is important to find out how to distinquish between not seeing the flag carrier and being sure he is exploiting. There are many examples many of which lie somewhere between paranoia and ignoring.

That would be fine and dandy, except Blizzard seems to drop the ball on getting information from the community. There have been some pretty major exploits around for months. I reported them privately and I got a canned GM response. 6 months later it was still in the game. This exploit was big too, it allowed you to pass through any wall without modifying the game in any way at all. I got to C'thun (just me, didn't try to kill him or anything) before most top 10 guilds killed Huhuran.

It's not just Blizzard either. If I remember correctly, there was a Internet Explorer exploit released because Microsoft wouldn't do anything about it after they reported it. I could be wrong about what company it was, but I know that situation has occurred and will continue to occur.

Are you? Have you ever heard of full disclosure?

Blizzard is going to be much more motivated to fix exploits when they are known, and like most other software companies their track record speaks directly to this. I think that "reasonable disclosure" is fine too - go ahead and let Blizzard know, but if you just get the canned response and the next patch doesn't include a fix then I think that it is in everyone's best interest to make the exploit public in the hopes of getting it resolved. The only people who benefit from keeping the exploit secret are the people exploiting it.

Its an interesting point that some bugs/holes in Windows that are know only by Microsoft are -not- fixed until someone creates a virus/tries to exploit it. The reason is quite simple, when Windows does release such a fix before the problem was even public it takes ~1 day for it to be reverse engineered by someone tring to exploit it and make the virusus.

Admitedly WoW is a little different, if blizzard fixed a problem before its common place knowledge it does not get exploited ever as all servers are patched unlike all the millions of Windows users out there, though the point does exist that by making knowledge of an exploit common it gets used a lot more, if its not common it can actually be swept under the carpet while other pressing matters are addressed first, or even just not actualy patched until the next major patch as opposed to tring to rush a fix for an exposed exploit, which may in itself jsut be very messy.

This thread covers a few distinct topics!

Yeah, thats pretty much it. A group of us in EQ used Macroquest for a while because, in all honesty, we had nothing else to do with the game. At that point, most of us had 2-4 characters with max AA's (or max that we cared about, my berserker, for instance, wasnt getting improved innate charisma any time in the near future) or , gear that was only getting better by raiding, and full augments.

People can stand up and say "omg its wrong to bot!", but after 600 days played on main characters, theres nothing in the game midway through an expansion that will keep people entertained. At that point, you really stop caring about much other than doing obscure things to have fun (like, see who can pull off a queue of warps to hit every zone in the game, using as few duplicates as possible; or see who's 2box combination can kill a lower floor boss in VT first without using the MGB bug to constantly reuse AA summoning abilities).

I'm morally opposed to botting for cash to sell (though I couldnt care less about actually buying or selling it, do whatever you want, as long as you're at the keys), or to make a profit for yourself via selling powerleveling services (though if you want to do that via being at the keys, I also dont give a shit), but for entertainment purposes (crank up the speed modifier to 100000 to see how many times you run around the entire world/zone with 1 slight keypress? Go for it Transfer nodrop stuff to alts because its better than rotting in your bank? Eh, whatever)


The biggest problem I have with WoW at this point is that it encourages alts. Honestly, some system (other than heroic badges that you can spend 2-3 weeks on and not need another one) that enc=ourages people to play a main character would be spiffy. I really liked EQ's model of tradeskills and AA's, because it meant you got bored much less quickly than in WoW (where you can make something like 400 combines and be maxed in any crafting skill. I think my lock did tailoring in 430, including his cloak and 2 FSW pieces [not counting the queue'ing of cloth above wool while getting a drink, or pacing aimlessly waiting for the stack to turn into bolts])



As for malicious hacking, the only time I saw a quality example of it was doing 2v2's with a rogue friend. We came up against a hunter who possessed the incredible ability to warp from one end of the arena to the other, hitting us with an attack that showed up in our combat logs as whirlwind as she did it, and heal from 15% to full 5 times. Even stranger, when we did, finally kill her, her partner was a mage, we were given a loss of points and no credit for a game played. (we played that team 4 times that night, same behavior in every game, we ended 24-6 as a team that night with 26 games played each. That hunter seemed to be banned, as we never heard/saw from her again, nor did anyone else who was playing actively that we know in our 2v2 bracket).


For using broken ingame methods to make a profit, the one thing i've learned from gaming is theres several distinct versions of this, each with different methods of discovery. (The general descriptions for these come from a 'friend' who used to work at SOE, and have been adapted for wow, and take examples I've seen or been involved in personally)


1. (un)intentional use of bad design logic. ie. Using a tradeskill recipe involving -completely- storebought components that, when finished, sells for more total than their parts. This is one of those "You should have known better" infractions, unless it nets you a tremendously low amount of cash (a couple copper on a multi-step combine, for instance), at which point, you should feel ashamed.

How this one gets found out: Someone automates this process, and does it with such success that they make far too much money, get investigated, and subsequently banned. (Thus proving Karl Marx knew what he was talking about)



2. intentional use of game mechanics caused by designer screwups to wind up with items you probably shouldnt have, but that you are capable of getting anyway ie. Hero BF nethers or Circle of Drakes chest bug (where the 3day lockout timer applied 3 minutes after the chest was looted, not WHEN the chest was looted, in an instance that allowed you to freely leave it at any time, allowing for, oh, lets say, ~100 drops in ~2 nights). You should know better, but you'll likely never get banned for it (unless you really piss someone off), because as far as you know, you were doing something that was perfectly allowable (if i never get a lockout timer, how am I supposed to think I SHOULD get one?).

This one gets found out because: This one generally doesnt get noticed right away unless a lot of people talk about it, and it becomes common knowledge (unless your ticket gets elevated to someone who actually knows what he or she is doing, which in many cases, doesnt happen because the guide/gm says "thats nice, have a cookie", or, in an actual response I got to a petition on one of the above "We show can no error in processing youre problem". I interpreted that in the only way that made sense at the time: "This is currently working as intended")


3. intentional use of odd programming bugs for profit. Examples of this would include the ability to crash the game while selling items to retain the items while gaining the gold, ability to move at the exact moment a timed-cast ability finished casting to save materials/reagents while getting the effect of the spell, finding spots to mount indoors.

Found: A combination of both 1 and 2. Some of them wont get noticed at all (the dismount spots in Loch Modan were fixed a couple years after being reported, posted and complained about throughout the development process and into release) some get fixed right away (apparently, for a short period of time after BC, you could move just as a khorium bar finished, and it would save the ore; this was one of the reasons khorium spawns were removed. I personally had no success with this after hearing about it, so who knows if it was actually true), some are somewhat of a pain, but known about as issues (enchanting items lower than the req limit while in the mail and being mailed).


In all honesty, bans for most of these arent common. You have to be obvious about your abuse of most of these things, and generally have to be using some automation in the process. Sometimes, you may have items stripped, but you dont see more than a slap on the wrist and a warning flag on your account (I had a guildmate in EQ with more warning flags than you could think was possible, and his only ban was for something unrelated to those, and later reversed).

On a somewhat related note, there is plenty of bugs discovered in WoW on the Chinese forums. Below is the list of fixed bugs that you may or may not heard of(courtesy of my guild mate robins).

1) Making T3 blacksmith weapon without mats
2)Getting honor in AV after losing(you have to cap towers less than 5 mins before lose and wait)
3)wall jumping to get past the gong gate in ZA (the no summoning in ZA fix is for this)
4)Losing Arena without losing points(let leader queue, pass leader to a fellow member, new leader kick old leader from team)
5) Karazhan bug , you can do opera event 10000000000 times for unlimited badges, you have to die in the opera audience trash before event, then the guy who start the event can be talked to after killing opera and he will continue summoning bosses infinately.

Note that they are supposed to be all fixed, so anyone who plans to exploit them will have to read those forums for the next big thing.

While it would be nice if things were like you said, fact is that often Exploits are ignored by Blizzard for months. Take the various Warsong exploits that made flagcarriers unattackable.

Considering the fact that those exploits were widely known and often posted about on the WoW forums (before being deleted), I don't see how that example supports the position that "Going public results in instant fixes". It would seem to me that going public with that just results in more people doing it until the fix is put in place.

I've never seen detailed descriptions on how to do it, I've only seen tons of threads about people doing it which were often closed because they accused the exploiter by name. Which is the other huge problem with Blizzard and exploits, the only people getting banned are those that call exploiters out.

Not sure that's a bug, but if the combat log is any accurate(I'm too lazy to run an addon to calculate honor for me), it still does it. If there's towers/bunkers on their way to be capped and the game ends, if you wait until they cap, you get the 62honor message. Hardly a gamebreaking bug tho, and definitely not an exploit. The opera thing sounds much more interesting to me, I could really use ~400badges ^^

This issue has existed in every revision of AV since the first, but it seems to have been resolved some time this last week as my most recent AV's have not given bonus honor for post-game caps.

Eh, I follow the same views on hacking / code modification as I do bug abuse really. If you're doing it strictly for profit (money, arena ratings, ect), you're an ass. If you're profiting off it for personal use in a way that doesnt impact anything (if you've got code to allow you to ghostkill mobs while standing at the zone line, I dont really care, for the most part, as long as you're using it inside an instance [you'll get banned for that one eventually, and what do I care if you're killing stuff in an instance you create]), and if you're doing it out of boredom (oh no, your character can fly without a mount or instantly warp somewhere, or oh no, you're using different graphics for models), I'd suggest finding an additional hobby, but it shouldnt really bother anyone too much.

From experience (and theres little non-anecdotal evidence on any side of this, to be completely fair to both sides, as EVERYTHING eventually comes down to knowing the who and they why of the use, which you get only from talking to these people) things that are obviously broken are either not yet found, found and near impossible to fix, near-impossible to prove (the old WSG flag capture while blinking thing was debated on this forum and others for long periods of time, and while many said it was impossible, others had video clips of it; as one example) or already being slated for fixing.

The other side of the coin is that in a lot of cases, these things arent seen as major issues at certain times. If something impacts a small percent of a small portion of a small part of a game audience, it can go a long time without being fixed, especially if it isnt causing harm to many or affecting a server economy to a noticable degree. Other times, you'll log on one day to find the company was just waiting for the right time to purge numerous accounts (Sony, at one point, just threw their hands up in the air and stopped banning people for some infractions as they happened [MQ was bad, bad juju if you didnt know what you were doing, if SoE updated on their end and you didnt re-compile correctly, you were gone], and did it all on one day every few months)

I have no idea about anyone else, but I am. For years I worked on a very large product that required the kind of security fixes you are talking about (think major OS with lots of open source components). The article you link advocates responsible disclosure. Which is completely legitimate. Personally I would rather have some amount of time to actually identify the correct solution, implement it, *test* it, and try to schedule into your normal patch cycle if possible. Giving vendors a reasonable amount of time to fix things before you publicly disclose is responsible. Most vendors will react if you tell them you will disclose it on a specific date. They may ask you for more time, but you can probably get some sort of status or date out of them if they think you will work with them.

By all means, tell a vendor you will publicly disclose it on some date, but make that date a reasonable time in the future (typically 30 or 90 days, depending on the nature of the vulnerability and the product), don't disclose it on a whim, and don't do it after the end of business hours. Software engineers are people too... the release engineering and QA guys do not like being dragged in after hours or on weekends, and nobody like fixing a major issue with a piece of code they are not confident in because they rushed the implementation and testing. You will end up with better tested patches that are less likely to introduce other issues and vulnerabilities, and software engineers who appreciate you instead of looking at you as an adversary that is poised at any moment to ruin their free time.

Even if a vendor does not react, you should still give them a warning and a date for disclosure. At least you did your part to try to avoid having real deployed exploits, and they will get the hint sooner or later.

If 90,000* in 9,000,000* players get banned for account sharing in a month and even 90* in 100* of those bans are false (90%*, when the number is more likely in the 13-64%* range) positives, you're looking at 81,000** out of 9 million customers pissed off with a reason vs. the weighted good of the public as a whole*** in getting rid of power levelling, etc.


* Source: Me. I have made up these numbers and they have no basis in reality. I decided what I wanted to say first, then inserted appropriate numbers where relevant.
** Please note that my sum is actually correct: 90% of 90,000 is 81,000. (Psst: 9% of 9,000 is 810.)
*** Source: Me. Despite being the actual subject of the discussion, I have stated my opinion on as fact (the result benefits the "weighted good of the public"). This may be taken as correct and in need of no further discussion.

I think those of you accusing others (with zero evidence) of teleport/speed hacking in BG's are off your rockers. It could be lag on either end not to mention god knows what other issues. People who have 2 accounts and 2 PC's can testify that what you see on one monitor is not what you always see on the other - and there are no hacks involved there at all.

A classic example of this is the spin animation on blood elves jump. It's client side. You may see it but the person jumping may not and vica versa.

Game exploits is one of the most fun/creative things that you can come up with in this game. I mean, I can not imagine how people come up with the idea of kiting patchwerk for example.

File this in the "Onyxia Deep Breaths More" folder if you will, but I swear this isn't working anymore. I'm still getting hit by the Kaliri even when flying directly upwards with Crusader Aura activated.

I just wear my tank gear nowadays to become immune to daze while flying through Skettis.

Actually, it advocates full disclosure > responsible disclosure > no disclosure. In other words, responsible disclosure couldn't exist without the threat of full disclosure. Usually giving the software creator time to patch the vulnerability before you fully disclose it is the best idea, hence the concept of "responsible" disclosure.

The poster that I replied to is wrong - the threat of full disclosure is what makes this whole process work. It isn't "net-nanny exploit terrorism", but it is a last resort if you've notified Blizzard about an exploit and it is still not being addressed. It's better than the alternative of the exploit being kept "secret" (secret from everyone except the people actively exploiting it) indefinitely.

We had quite often matches with no points granted. The window showed some strange 7 digit number in point changes. Tickets never had any effect. Is this the only way such a rating bug can occur ?

I used to be a part of a mud, that had rather terrible programmers.
The mud code was based largely on stock code.
Exploits were found, annoyances were used.

Instead of coding the fixes in, rules were made.
This simple mud had over 250 rules, where rule #1 was "ignorance of the rules is not an excuse".

So as the poster with the long reply on page 1 stated, much of this is in the hands of the developers. If they just are lazy about things and do not fix bugs or exploits, imagine how bad things would become, and how rules would seem silly in a game like this.

Fortunately, for us, the devs seem to be on top of most of the exploiting.

Every hour a developer spends trying to hotfix some bug/exploit that went unnoticed for weeks/months until it was made known to the general public is an hour that could've been spent on content.