Distribution:Download | Retail Price:Free | Pay Type:Subscription
Desktop Client | System Req:
| ESRB:T
Istaria: Chronicles of the Gifted General Article: Special Report, Part II
In the second part of Carolyn Koh's special reports on Horizons the EI Interactive takeover, she looks at payment issues, the vulnurability report and more.
By Carolyn Koh on December 21, 2006
Horizons: Special Report, Part II
Article by Carolyn Koh
Editor's Note: This is the second article in a series that looks at Horizons and what has gone on with it and its new owners since EI Interactive purchased the game from Tulga earlier this year. You can read part one here.
Act Two, Scene 1.
MMORPG.com published a link to the SOAP vulnerability that had been reported to EI Interactive. Speculation began to run rampant, forcing a public statement from EI Interactive in which they reassure subscribers that their account information is safe.
“…the vulnerability described in the article allows for only individual account exploits. The vulnerability requires foreknowledge of account information, e.g. a valid username and password.”
Just what is SOAP and how does it affect anyone? Simple Object Access Protocol or SOAP is a protocol for accessing a web service. I spoke to the publisher of the report, Bernd Kilga who works as a security consultant, in order to learn how he discovered the vulnerability.
”I participated in a couple of Horizons tools, like the rather popular Horizons Crafting Calculator (HCC) (http://hcc.reclamation.dk/) and tons of other stuff: live statistics (http://reclamation.dk/horizons/livestats/) and character exporters (http://reclamation.dk/horizons/arcat/). We even received permission from Tulga to bundle game assets such as game-graphics/icons/data with HCC. My primary motivation was the excellent communication with Tulga which allowed me to get a great peek behind the game development industry, something which does interest me a lot.
Working on tools like this, naturally leads to understanding the game-database and the various debug logs. During our work on HCC we reported several data-anomalies to Tulga. This gave me the experience needed to test various security aspects.”
Previous to this find, Kilga discovered a major security hole which he worked closely with Tulga to fix.
“That allowed the read out of any userdata (password + username) by providing a fake HTTP request. This issue was addressed by Tulga with high priority and resolved in 1-2 weeks. It did please me a lot that this issue got fixed right away and in a very professional manner: I was in MSN chat with the lead developer who also requested that I test the patch before its public release.”
The SOAP vulnerability as published by Kilga allows any HTTP client (e.g. a web browser) to interact with the SOAP API: It isn't restricted to specific clients (should be login website and standalone launcher ONLY) and offers methods which you can't do as a regular user. A simple example: Rename your character.
At the time the vulnerability was reported to EI the original payment system was still in place, so at that time it was possible to do actual changes to subscription data. Today a different payment API is in place and is not directly connected to the login website.
We asked if the security loophole was fixed by that EI Interactive’s action.
“Not exactly,” Kilga told us. “First off, there is no real danger for the customers of Horizons: It's not possible to retrieve any userdata (passwords) without any brute force attacks. However, since SOAP allows interaction by any client, it's very possible to write simple scripts which performs brute force attacks and tries to guess passwords of a) users and b) the master password which protects the moderation commands.”
We asked if Kilga had made the vulnerability known to Tulga or EI Interactive. Unknown to him, Horizons had already been sold, however, David Bowman recommended that Kilga inform EI Interactive and provided him contact information.
“Mr. Bowman told me: ‘This type of problem is significant and must be fixed immediately.’ He's 100% correct, it's not about what such a vulnerability offers to the untrained hacker, it's about 'a type of security hole' which can lead to abuses if a person is skilled and evil minded,” Kilga explained.
“After notifying EI I got a response from Mr. Rask, informing me that the executive GM will contact me shortly. This never happened.”
So what did he do then?
“I waited 60 days,” he said, “then I published it and I informed you.”
Ed Andercheck of EI Interactive/Pixel Magic saw this in a different light.
“[The SOAP vulnerability is] a non-event from the standpoint of security,” Andercheck told MMORPG.com. “It’s being closed.”
He noted that the hole only allows players to change their own accounts, and mostly only information they could have changed anyway. He told us that it was opened when the billing changed from IPlay to PayByTouch.
will this game just die already. as i have stated in previous posts, the games owners are not to be trusted. they have not, and will not to this date help any customers in any direct way, old or new.
whether it was tulga or the new owners, they both were on track with one another, deny problems, silence the community, and throw out the tag line "its not our problem". too much bad blood in this game and an example of what not to do to your player base by both companies. does anyone wonder why the new company conducts business as tulga did? who is with this new company that has these tendancies...........bowman maybe?.
also sad to see bowman still employed with the new company even in a consultation capacity the individual is simply dishonest. i would have called him a thief directly but i wouldnt want my thread bounced.
Umm... David Bowman isn't working for this company in any way shape or form. He moved to Texas and works for the new Bungie split-off (I can't remember the name of the company, but it just went public. They are currently working on some halo 2 maps, and have hinted in an interview that they are working on their own consol title as well).
Not only does bowman not work for EII/PME, he doesn't even work on MMOGs any more:P. Do you even read the gaming news sites, or do you just yank random words out of the air?
Will someone stick a fork in this SOAP opera already!!
"solidly researched?!" No, this is all OLD NEWS except for the last 3 paragraphs or so [the part about Pixel taking over from IE - and even that is month old news!]
News Flash: Julius Ceasar stabbed at Senate! More at 11!
I am glad I got my cancellation through and only played the trial, and did get my refund.
A shame, I think the game had potential.
Sadly when this all falls apart once and for all some of these folks will then be qualified to write the how not to do it manual. The game had some great ideas and potential but the implementation and execution from early on was awfull. The player community for the game must be the most patient kind hearted group in gaming though. I never played the game but tried to keep an eye on it in the hopes it might turn around but alas things only seem to be getting worse. I even had thoughts that maybe during a vacation I might download the try and give it a look but now I feel totally uncomfortable even doing that.
Wow, the amazing research award goes to Carolyn this year :).
Very well done article, well writen, well explained and very informative.
Thanks for all the work.
As much as I've bagged HZ, it's exceedingly sad to see the road this game is its few diehards have had to go down.
I guess Andercheck learned that taking over an MMOG game company is sort of like taking over a sports team, except every single fan travels with the team. The community of an MMO game IS the MMO, and to ignore and mistreat them is the worst idea you could have. I can't help think that if Horizons didn't already have such a devoted player base, then it never would of gotten off the ground with Andercheck.
-Mustasio
Its a real genuine shame about what happened to this game. It really was, this game actually ahd some potential of having some trully unique atributes one of which was that one of the races i belive was not even humanoid [Dragon's].
I will however hope that this new company will find a way to drag this game back toa working title with a decent level of lag rather than what was there when i tried it last time.
it sounds - from the last part of the article - that the clueless are trying to get a clue on how to build an MMO
i doubt that there are intentions to improve Horizons however - but to build a new one (like everyone and their grandmother) without the bad associations that Horizons has
of course i am wearing my tinfoil hat as usual
At least AO went on to finally correct their mistakes and build a pretty decent game (too little too late to get back all subscribers they could have had..but oh well)
I bought Horizons because I was nostalgic for Atari and thought .. wow they have a history of making games, this could be good. Five minutes after I bought it I was pulling my hair out. I waited 2 days for the updates to finally finish.. then I find that it is so poorly optomized and was based on a system of loading the scenery, etc as you moved that no one in the game could move more than 5 feet a minute unless they were on a T3.
after a week of total unplayability, wasted emails and phonecalls trying to see how to finally get it to run I gave up and contacted the walmart that my wife worked at to return this piece of garbage. Lo and behold, she informed me that this particular game had so many people trying to return it that they had pulled it off the shelves and were not taking any kind of exchanges on it. you had to send it back to the distributor, which also refused to take it. The game store down the block said even "kinder" things about the game.
I also had the worst time in the world unsubscribing to this crap of a game. There is no use blaming the new owners, or even Tulga, this game has stunk since the start.
I agree it had some great ideas and at the time some good crafting ideas and I really was looking forward to it...so much that even after my inital bad experience I went back and tried it again a year later and then a few months ago.. sadly both times I erased it from my hard drive after less than a day. It is just unplayable and always was.
I will never be happier to see a game die than this 49.99 nightmare.
Emulating Horizons is next to impossible without some amazing server hardware and resources.
Here is the information about server specs for the Horizons shards, as told by Amon Gwareth on another forum:
As for why you need such a powerful server farm to run a Horizons shard, another poster by the name of Dangit (Who used to be the lead moderator for Tazoon.com, and later for the main community site run by Tulga) posted this in the same thread:
-Menkure
graill said:-
will this game just die already. as i have stated in previous posts, the games owners are not to be trusted. they have not, and will not to this date help any customers in any direct way, old or new.
hmmm, ok you dont like it, why keep on about it - just dont play it....
uncus said:-
"solidly researched?!" No, this is all OLD NEWS except for the last 3 paragraphs or so [the part about Pixel taking over from IE - and even that is month old news!]
News Flash: Julius Ceasar stabbed at Senate! More at 11!
lol - though many dont have the time / inclination to follow the trials and tribulations behind the scenes of MMOGs, so any reporting of this type from MMORPG.com is appreciated
thepatriot said:-
What a sad sad tale and a pathetic attempt at fixing their reputation by forming a new company. Hey, I have an idea, why don't you actually treat your customers with respect.
this sounds suspiciously like common sense, wrapped around the truth
kyote said:-
It is just unplayable and always was.
it certainly had (lol has) its problems, but i fear you were playing it on an abacus, even my pretty ropey laptop could make a satisfactory attempt at running it.
the facts are... the game is too long in the tooth to warrant the premium subscription rates (it should be <$10/month - $25/quarter). at least that is what it should be without the thieving ineptitude, getting anyone to pay anything now will be difficult
a company treating the clientele like sh1t deserves to fail
the reputation of the game and the companies involved with it are all tainted, so best thing for it would be for those that care - the community to "stop getting bent over by the companies and EMU Horizons." aviendeha dec. 2006
An update to this ongoing saga
Andercheck is incorrect billing on some accounts is still borked and are still being over billed.
Not everyone has been refunded
And now they shut the test server ( Blight ) to use the hardware for the new Unitas ( old unity ) people.
Blight based players are now with out a home and the email address eii/pm supplied was non operational for five days.
The official forum is heavily modded to suppress the outcries about this.
End result : No Blight Shard no further development contrary to what eii/pm will report
Since taking over in July '06 horizons EII/Pm or whatever they call themselves have flushed customers down the gurgler at every change they have implimented.
I have no trust in Andercheck nor faith in the company he runs
That is such an awesome observation Mustasio! I admit that in weak moments I wanted to try the trial and am so glad I did not and am 100% sure now I will never go near that game after all I have ready though the Guild and building aspects still catch me fancy. :)
I remember beta testing this game and I think a lot of the testers were on some sort of floating city or something. As a special treat, David Bowman decided to unveil what an ancient flying dragon looked like by flying in as one and landing nearby. I never did buy the game, which apparently was a good thing, but the game in itself seemed to have a pretty solid crafting system. It was a sad day when Shadowbane died, but atleast its still playable for free. Perhaps they should do that with Horizons, cause I doubt anyone would pay to play it now, no matter who owns it.
You got a point there. After so many disastrous misshaps, who can trust this game and their owners (no matter hwo often they change their names :P) anymore. I guess they have heck of a long way to come before they regain the trust of the MMO planet.
At any rate, Horizons' story is a ludicrous one, to say the least.
I started out in the beta and canceled my account a few months after it went live. I really wanted to like the game as it had so much going for it, including one of the best crafting systems. However, there was always something screwy on the management side, leading to a YARTEQ -- Yet Another Return To EverQuest.
Not only is it failing to keep customers but is ripping the customers off by continuing to bill repeatedly for the same month. This game be shut down soon at the current rate. Who knows perhaps they will sell Horizons to a company that will do something useful with it, but thats a most likely a dream.
I hope their entire company has to declare bankruptcy by the time this is over, doubt they will but they deserver it.
EI dont seem to care about their customers and with out a mutual respect no one will trust them.