Re: Regarding the Use of Third-Party Programs and Player Safety

[BigCheez]

Please no. Anticheat will only harm the regular users and can do nothing to resolve this issue, its literal snake oil.

It would deal with the rampant botting and cheating though, but that's a separate conversation.

[Sarevok_Thordin]

Having the plug-in taken down won't accomplish much. The creator is already planning to distribute it among his friends and in less visible spaces. Pursuing legal action will only stop the creator, it won't stop the people that have already copied the plug-in with plans to make their own. I encourage seeking legal action but it will not prevent another copy-cat plug-in from doing the exact same thing.

What MUST be done is protecting the account ID that no one asked for. You could simply NOT send it client-side. If it absolutely MUST be sent client-side for the blacklist to use its current features then you must AT MINIMUM protect it with randomized hashing if you can't be bothered to encrypt it. You cannot let such sensitive data be sent to the client with no protection in a game that you KNOW has such heavy plug-in usage. Basic data security is just completely absent from its current implementation. THAT'S the problem, Yoshida.

This the issue, the client does not need the accountID to do anything as it isn't interacting with the other player's account, it's only the character that it sees it needs to check. The accountID should be a server side check with anything requiring the use of account id being managed through a characterid challenge from the client.

A basic pattern of security is least privledge, the client should never have read privledge on account ids of other people.

[VerdeLuck]

Anticheat in this game would cause half the playerbase to quit.
There are so many people who play this game as second life simulator for Yoshi to do something like that. Man will do anything for subs.

I would rather people quit because their ERP mods don't work or they can't parse random people in their casual roulettes than have SE keep playing whack a mole with increasingly disruptive cheats and tools designed to harass players.

[YumieYumiki]

It would deal with the rampant botting and cheating though, but that's a separate conversation.

If they wanted to fight bots they could apply a number of server side heuristics to prevent them from teleporting around, from getting under the map, from speed hacking. Same thing as the blacklisting issue though, it would increase the server costs and evidently they are content to let people believe that nothing can be done, rather than outright tell us "it would cost us money so fu"

[VanillaWafer]

If they wanted to fight bots they could apply a number of server side heuristics to prevent them from teleporting around, from getting under the map, from speed hacking. Same thing as the blacklisting issue though, it would increase the server costs and evidently they are content to let people believe that nothing can be done, rather than outright tell us "it would cost us money so fu"

Well, one thing you gotta remember is that the whole teleporting around has been used by staff in preparation for Fan Fests. Does that excuse bots from using this channel to level characters? Of course not. My concern would be that if they decide to implement something more instant, then that would likely allow people with malicious intent to figure it out and deploy their bots to use that, too.

Or maybe that's already happened and people who are on the surface level just don't know that, yet.

[Chaincat]

Just add an anticheat in 8.0 we need it at this rate.

Anticheat wouldn't work for this. You can access this information without tampering with the game's files via Wireshark. You don't even have to directly interface with ff14 to get someone's account ID. Hell, you don't even need to have ff14 installed on the same machine that ff14 is running on. Until that information is not shared with the client, no anticheat or attempts at stifling plugins or mods will ever work.

[ovIm]

Well, one thing you gotta remember is that the whole teleporting around has been used by staff in preparation for Fan Fests. Does that excuse bots from using this channel to level characters? Of course not. My concern would be that if they decide to implement something more instant, then that would likely allow people with malicious intent to figure it out and deploy their bots to use that, too.

Well, if the check is server side, they could just enable a flag server side for specific Square Enix Accounts that says "yeah, this character is allowed run underneath the map at 500% speed, this is gucci."
And if that flag is set on an account basis, any account that does the same thing without that flag could get tagged for investigation. Automatically. Its a much more elegant solution than trashing customer computers with a useless anticheat application.

[BigCheez]

If they wanted to fight bots they could apply a number of server side heuristics to prevent them from teleporting around, from getting under the map, from speed hacking. Same thing as the blacklisting issue though, it would increase the server costs and evidently they are content to let people believe that nothing can be done, rather than outright tell us "it would cost us money so fu"

I'm not talking about those bots. I mean the ridiculous number of players botting things like diadem/firmament, and general crafting/gathering, and HoH for the accursed hoard achievements, or fully automating their rotations in raid content.

I don't think people realise how much these plugins can do or how many people are using them.

[ThatQEDguy]

I take it "Fixing the issue" isn't on their radar?

[Exmo]

This the issue, the client does not need the accountID to do anything as it isn't interacting with the other player's account, it's only the character that it sees it needs to check. The accountID should be a server side check with anything requiring the use of account id being managed through a characterid challenge from the client.

A basic pattern of security is least privledge, the client should never have read privledge on account ids of other people.

This doesn't make sense. The blacklist feature blocks another player and their alts. Therefore, the client needs to know some info about those alts so it can block them.