The Walls Have Eyes, But Are Missing Form And Function

Gamespot has a story on a WoW guild that was banned for “wall-hacking” AQ40 because, well, let’s just go straight to C’thun, OK?

The usually insightful PlayNoEvil security blog asks “uh, isn’t that supposed to be impossible on an MMO? With, like servers and stuff?”

Hah. See, the whole “everything must be server side! the client is in the hands of the enemy!” gestalt is true. But the other side of that coin is that the more processing you can shuffle off onto the client, the less melting down into ash the servers get.

So, every MMO does SOME client-side wizardry, most of which is completely harmless if you hack it. Things like assembling text strings on the client, deciding which particle effect plays where, etc.

The trick is when you cross that line of “if the players find out, we’re screwed!” Or, more to the point, “if the players find out, we’ll ban them.” For example, speedhacking is a very common, and very difficult to defeat client side exploit in MMOs. In DAOC, the server simply did (and still does) periodic checks to see if a person is moving a bit too fast (ok, quite a bit too fast) and silently flags that account for a CSR to pop on and confirm, yes, this character is mowing down people at Mach 5, it’s time to convince him or her to play another game. (Of course, once players figured out this was happening, it was surprising how many people insisted that they were “hit with lag spikes”.)

So which is more harmful – a client-side exploit waiting to be discovered, or a server-side overload (something World of Warcraft has been plagued with, in many forms, due to sheer load) that prevents anyone from playing when the servers crash? And don’t say “none of the above”, because you missed Candyland back at the I-35 turnoff.