Forums » Role Playing

Beware the TGFT Utilities Plugin

«1234567»
May 17, 2015 Darth Nihilus link
+1 Greenwall
May 17, 2015 Lisa50469 link
No data failure. Time for you to teach some of these folks! That would be better than listening to them whine.
May 17, 2015 Kierky link
[01:49] <vo2> [100] <Archeron> "Ata-Bo Lennel", you have been noted as a user of TGFT_UTilities, you are now KOS.
[01:49] <vo2> [100] <death456> bahahaha
[01:49] <vo2> [100] <wolfman40> lol
[01:49] <vo2> [100] <Ata-Bo Lennel> i am not of their guild
[01:49] <vo2> [100] <Ata-Bo Lennel> im only using the plugin
[01:49] <vo2> [100] <death456> oh.
[01:50] <vo2> [100] <death456> ok i respect that
[01:50] <vo2> [100] <Archeron> doesn't matter, you're broadcasting all locations of players you see to TGFT's Servers
[01:50] <vo2> [100] <Ata-Bo Lennel> really?
[01:50] <vo2> [100] <Archeron> this is without other players consent and you shall be destroyed for aiding a SKV enemy.
[01:51] <vo2> [100] <Ata-Bo Lennel> i didnot realize it was broadcasting player data to them
[01:51] <vo2> [100] <Ata-Bo Lennel> i just use it for low/highprice finding
[01:51] <vo2> [100] <Archeron> you should read the Role Playing thread on the VO forums
[01:51] <vo2> [100] <death456> wow
[01:51] <vo2> [100] <Ata-Bo Lennel> dfuq would someone put such info under RP it should be on that plugins forum
[01:52] <vo2> [100] <death456> That is just wrong lol
[01:52] <vo2> [100] <Faille Corvelle> I think Archeron was refering to the fact he is KoSing any users of that plugin
[01:52] <vo2> [100] <Archeron> it's not a community project
[01:52] <vo2> [100] <Archeron> it's a TGFT plugin given to unsuspecting users to create a honeypot of information
[01:53] <vo2> [100] <Faille Corvelle> not that plugin onfo is in the RP forum
[01:53] <vo2> [100] <Ata-Bo Lennel> as for the guild/group of TGFT i did not know when i got the plugin they were a group/guild and so far they jus seem like a bunch of whiny imps who SKV has demo
[01:53] <vo2> [100] <ITAN Shop> Skygge Vakter [SKV] are an Ultranationalist Itani guild, specialising in elite combat and advanced tactics. (public.skygge-vakter.com)
[01:54] <vo2> [100] <Ata-Bo Lennel> demolished
[01:54] <vo2> [100] <Ata-Bo Lennel> is there another plugin that gives price data? cause im uninstalling tgft if it commandeers player data and feeds to them
[01:55] <vo2> [100] <Ata-Bo Lennel> in fact such a plugin sounds like it should be banned from the game
May 17, 2015 Kierky link
Lines 180 - 395 of the TGFT_Utilities main.lua

http://hastebin.com/qeqevacube.lua
May 17, 2015 Roda Slane link
Using a plugin that transmits information to an untrusted server, such that said information implicitly includes character name, or by context, explicitly identifies character name, can be used for alt identification.

Any plugin that transmits information to an external server is potentially revealing the ip address of the player running that plugin. Further, if the ip address can be tied to more than one character name, then those character names can be identified as alts. Tying the the ip address to a character name can be done by a plugin, or by external observation. If a plugin reports that you saw character x in sector y, and character x also reports that he saw you in sector y, and you are the only two characters in sector y, then the server can connect the dots, and tie ip address to character name.

This is the inherent risk in using any plugin that transmits information to an untrusted server.

As far as your complaint that TGFT plugin is tracking your movements, and not reporting there own movements, your complaint is trivial. It is TGFT plugin, and it is obviously intended for their own benefit, not yours. Make your own plugin. Once you have been seen by another character, you have no guaranty of privacy.
May 17, 2015 SkinWalker link
I think the chief complaint is not that TGFT is obtaining info for their personal use. It's that they do so using a plugin that they posted publicly in voupr.com as a benefit for non-TGFT traders and pilots when the actual goal was to increase the size and scope of their own spy-network and, potentially, their ability to determine alternate characters.

There's no doubt that an IP address is sent along with a 5-digit passcode that does not change with alt use. If you use tgft utils on one alt, the same passcode is accompanied with any alt you fire up unless you manually copy the plugin out of the plugins directory.

The actual complaint is that TGFT has created a honey pot.
May 17, 2015 Roda Slane link
It is TGFT's plugin, and if it provides any benefit to non TGFT users, that is justification enough to release it publicly.

It is unreasonable to expect TGFT to allow their own plugin to be used against them, or to not take advantage of any additional information provided by non TGFT users.

If you do not wish to assist TGFT, or you wish to do harm TGFT, then you should not use their plugin. It is their plugin, and they have no reason to promote a plugin that would be used against them.

Further, TGFT has a long history of alt tracking, and if you do not wish TGFT to know your alts, you should not use their plugin.
May 17, 2015 Kierky link
You failed to mention the case where this happens, Roda.

[01:51] <vo2> [100] <Ata-Bo Lennel> i didnot realize it was broadcasting player data to them
[01:51] <vo2> [100] <Ata-Bo Lennel> i just use it for low/highprice finding

Transparent, is what all public plugins should be.
May 17, 2015 buttcast69 link
Since this convo has been dominating 100 for a few days, here's my 2c.

The fact that the plugin doesn't come with a warning is lame -- and IMHO even the warning isn't enough. To make things totally above the board, data collection on players should be opt in. Just like when you download some freeware and it asks if you want to install a lame malware toolbar for your browser. Make users click a box to enable data reporting and POOF zero complaints and 100 can go back to debating the morals of piracy/swarms/b8/urmom.

Further, I don't really like the idea of there being a system-wide player reporting list. That's just me. If the plugin becomes super popular, then maybe most people do and i'm in the minority. And if so, maybe it's something that should be in the hands of the devs or a transparent public repo.

Some would say "but the plugin is basically just the equivalent of someone on guild chat saying 'hey pirates in latos'." But when you have a bunch of people unknowingly using it, that's the equivalent of saying that a DDOS botnet is just a bunch of people pinging a server to test their conneciton speed. It's not the same thing.

Overall it just seems shady.
May 17, 2015 Savet link
I've stayed out of this until now, there are some valid and some invalid concerns.

The invalid:
-IP address: any server you connect to can reasonably be expected to log your IP address for abuse tracking. There is nothing that indicates the plugin should behave anonymously.

The valid:
-Spotting data: The collection and transmission of spotting data is completely absent from the plugin description on voupr. A player who downloads the plugin cannot be reasonably expected to assume that the plugin will spy on their location and the location of those in the same sector.

From the voupr site:

Many functions for finding things in VO. General Utilities.

/search
/lowprice
/highprice
/stations
/mydent
/autounload
/turbotoggle

See more info on the TGFT forums under plugins.

The Problem:
Many guilds run spotting plugins, but a plugin published for the purpose of spotting is at least honest about what it is doing. To collect such data surreptitiously could reasonably be interpreted as a violation of the Computer Fraud and Abuse Act.

http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

Some highlights about the above act:

1. Protected computers

In practice, any ordinary computer has come under the jurisdiction of the law, including cellphones, due to the inter-state nature of most internet communication.[5]

2. Criminal offenses under the Act

(a) Whoever—

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(5)

(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

Final Thoughts

The most pertinent section is 2, where the offense is solely targeted at unauthorized/exceeded access of a computer.

Sections 4 and 5 above are relevant because a person's time and reputation in-game are built over a period of time. A player who has been playing for years and suffers loss of reputation and enjoyment could reasonably be argued to exceed the $5,000 and the impact would most certainly occur in a period under the 1 year threshold.

By Lisa's own admission:
"Data regarding alts is restricted to only the CO, and LT's. That way we can maintain alt separation."

Since the plugin is collecting and transmitting data in a way that the user cannot be expected to have agreed to based on the plugin description on the download page, this is could be interpreted as a violation of exceeding access to a protected computer.

To resolve this, I recommend the plugin description be updated to include this description with the disclaimer that the transmission of such information is not anonymous and exposes player data to TGFT which includes the players character name, IP address, and data related to other players in the same sector as the user of the plugin.
May 17, 2015 Pizzasgood link
"The fact that the plugin doesn't come with a warning is lame -- and IMHO even the warning isn't enough. To make things totally above the board, data collection on players should be opt in. Just like when you download some freeware and it asks if you want to install a lame malware toolbar for your browser. Make users click a box to enable data reporting and POOF zero complaints and 100 can go back to debating the morals of piracy/swarms/b8/urmom."

Well, as I said I do agree with having a disclaimer. However, when it comes to having a mode of operation that doesn't report data, I need to point out that most of the functionality it provides requires people to report that data. It doesn't magically obtain remote price information from the game; the remote price information it uses is the information that everybody's plugin is gathering locally and submitting to the server (and doing this reveals your location by accident, because if you're informing the server of price data at Sedina L-2, then obviously you are currently at Sedina L-2).

That said, the price data doesn't require reporting player sightings. That is a "feature" that they could make optional without disrupting core functionality.
May 17, 2015 Kierky link
May 17, 2015 Savet link
Rin, the complaint about transmitting data is targeted at the transmission of player spotting data, not the station/item/price data.

It's noted in my very long-winded post above, as well as Kierky's posting of the plugin functions, that this spotting data is not in any way communicated to the users of the plugin that they will be providing such data.
May 17, 2015 Pizzasgood link
Oh, on the topic of price data, I want to point out that there are server-less alternatives. Their information is always a little outdated, because they only update when you personally visit a station, but that's still a lot better than nothing at all.

That said, I don't trade so I can't really advise you about specifics. I know there's one called Trade Assist that people used to like a lot.

Personally, I use my Catalog plugin. It is not geared to provide useful information for doing trade, but it's pretty handy if you just want to know which stations sell something or how much an item costs. (And if you're a pirate, it has a useful feature for parsing the output of a cargo scanner and estimating the value of the loot, so that you can choose your targets more efficiently. Very handy if you're grinding NPCs.)


"Rin, the complaint about transmitting data is targeted at the transmission of player spotting data, not the station/item/price data."

Yes, I realize that's what you and Kierky are talking about. I was referring to buttcast69's more generic comment.
May 17, 2015 Savet link
Gotcha. My apologies.
May 17, 2015 biretak link
LOL Savet, the plugin does not access data the devs have not made available to the developers of plugins for this game. As long as the plugin stays within the game developers guidelines, I doubt any reasonable outside person would think any fraud or abuse occurred.
May 17, 2015 Pizzasgood link
You misunderstand. Savet is not saying you're violating Guild's rights. He's saying that you're violating the player's rights. And note that Guild Software has no authority to absolve you of violating other people's rights. Incarnate's opinion only reflects Guild's relationship with you. I.e., it is his opinion that you are not violating the rules of his game. Whether you are violating the rules of his game has no bearing on whether you are violating the law with respect to other players.

I agree with Savet's logic, however his facts don't appear to be correct at this time. The Voupr page does state that the plugin collects information on players you encounter, unlike the quote he posted. Perhaps the page was amended after his quotation was made, in light of the discussion here. Anyway, as it stands right now, I would not agree that the plugin is doing anything illegal, given that it does disclaim that the information is being collected.
May 17, 2015 buttcast69 link
From pizza: "[...] It doesn't magically obtain remote price information from the game; the remote price information it uses is the information that everybody's plugin is gathering locally and submitting to the server (and doing this reveals your location by accident, because if you're informing the server of price data at Sedina L-2, then obviously you are currently at Sedina L-2).

That said, the price data doesn't require reporting player sightings. That is a "feature" that they could make optional without disrupting core functionality."

Sorry, I wasn't very specific and you've got a valid point. I'm on the same page as Kierky etc. I think the VO player base is understanding of a crowd-sourced trade plugin. Like others, i was [trying to] talk specifically about the less-obvious player spotting data(and I guess the alt stuff too).

However, it's generally good practice to be very upfront about any consumer/user data being sent back to servers. Most software developers are very upfront about this in the long-winded EULA section during installation.

I can see how VO plugins have been, for a long time, a medium where less-than-professional installation/disclosure is the norm. They're just plugins for a cool space flying pewpew game. But maybe in light of recent events, full and clear disclosure of user data transmission should be the norm, if not a requirement.
May 17, 2015 Kierky link
The Voupr page does state that the plugin collects information on players you encounter, unlike the quote he posted. Perhaps the page was amended after his quotation was made, in light of the discussion here. Anyway, as it stands right now, I would not agree that the plugin is doing anything illegal, given that it does disclaim that the information is being collected.

This is as a result of this thread, and Lisa making an update to the plugin. If we made no noise, would that have ever changed? Probably not.
May 17, 2015 Pizzasgood link
Yeah, I'm not saying that noise shouldn't have been made. :)