09-04-2020, 11:54 AM
I used to be a player of this game back in 2005-ish. I could remember playing Runescape (which people now call Old School Runescape, or OSRS) a while ago. I didn't really understand how to play because I was younger. I didn't bother with the quests, I just played around and wandered from time to time, fighting monsters and training other skills from time to time because I liked the open world exploration. I did enjoy the PvM and skill training experience enough. I was absolutely not into PvP, and I still am not, even as an adult. I remember getting 70 woodcutting and chopping down magic trees all day for large amounts of money in a member's server. Good times. I think I quit due to boredom, and high school was taking most of the time of my life away, in general. I can't recall, but I think I actually asked my parents to buy membership for me, which feels weird to say now. I had no money of my own to spend back then! Lols.
Jumping forward to 2020, I already knew that "Runescape 3" was a thing. I never saw gameplay footage of it. I booted up for the first time, jumped right in, and I was pretty blown away. The graphics were quite nice and pleasing to the eyes, the clean and customizable interface was lovely, and I loved that some of the classic "Runescape 2" elements were still being used, like the text typeface and item icons. It is still as charming and nostalgic as I remember. I actually finished almost all of the F2P quests for the first time! It was fun.
However, a few large issues with the game still remain:
---
1. Membership Restrictions
I will be fair here and say that Jagex really does need a way to pay for their server's operations, and other assets they own, but the free-to-play aspect of Runescape feels so incredibly restrictive. I get it, I really do know why they do it this way, but I would rather just buy a game, then play the whole thing, like Monster Hunter World, or Guild Wars 2, for example. Maybe those games have in-game purchases, I don't know, but those should always be optional, and not interfere with aspects of gameplay. But lack of membership does interfere greatly with gameplay in Runescape, to a very annoying degree.
I always have to figure out and remember which things require membership to use. And it's so annoying. I really hate this. I wish they would stop doing this, and just either decide to make Runescape free-to-play and add optional in-game purchases, or make it completely subscription based with no in-game purchases. Instead, they do both, in a really terrible way. I feel like people tolerate this, instead of argue with it. And that just really pisses me off that nobody cares enough about this.
This old model does not work well for most people anymore, and they refuse to change it.
---
2. Short AFK Timer, and Obsessiveness Over Bots/Macros, and Bug Exploits
The AFK timer in Runescape is set to 5 minutes. When you don't move your mouse on the active window for that period of time, you get logged out and taken back to the lobby screen.
I'm sorry, but that is WAY too short. Max length should be something like 30 minutes, minimum 15 minutes. It is a bit annoying from time to time, especially if you are doing long smithing sessions, where you can open the smithing interface and, you know, start smithing a whole inventory of things. That takes a lot longer than 5 freaking minutes to smith all of that stuff. I'm sure there are other reasons to not pay attention to the screen for over 5 minutes, but it's just odd to me that they chose something that short.
If a player wants to be AFK, then let them be AFK. What's the big God damn deal? Why is Jagex policing people who either want to go AFK, or use macros in the game? Macros don't harm anyone, not even Jagex. However, if a macro or bot is purposefully trying to cause a direct DOS attack on a server, along with multiple bots trying to DDOS, then that's the only situation I can see where it harms players and Jagex.
Most people say that AFK training is cheating, but I respectfully disagree. Skill grinding can honestly be boring for some people, depending on the situation. And for most other players, they love it, but would rather farm more efficiently, or easily. So players might use a bot/macro, then check up on it once in a while. Maybe it's a macro that's semi-automated, but they still have to run, then bank, then run back again.
Again, I really don't see the harm. Macros can do anything a normal player can do, and some hardware/software macros can be programmed with high-precision random timers to hide themselves very well anyway. Nobody can prove or disprove they are using a macro unless it's plainly obvious. Has Jagex ever banned someone by accident when all they were doing was just being as efficient as they could with their own hands? I'd like to know. Nobody has to say if they've gotten away with macroing, obviously. Hahaha.
Now a bot that actually cheats, and can perform actions that a player CANNOT do is something I do not support. Performing actions outside of the game's programming and logic, such as bug exploits, are actually detrimental to the rest of the players and community.
Now I don't think players should get permanently banned for bug exploits, but I think that bugs do happen, obviously. And maybe a punishment of a few days are fine. Do they do that already? I'm not sure... Anyways, proper disclosure of bugs should be taken with praise. I hope more people do it, without fear of getting banned because you accidentally discovered a bug that you accidentally exploited, once.
---
3. Account hijackers/crackers, server bugs, and lack of responsibility from Jagex
Recently something happened to my account. I'm not necessarily sure what happened, but I explained it in as many details as I could in an E-mail to Jagex. I lost 21M (remainder that I sold from a bond) and 3 bonds in my inventory that was stored in my currency pouch, or whatever it's called. I used one bond for membership already. Basically, I bought 5 bonds with $35, and 3 bonds and 21M were gone.
I was just chopping a tree, and my client froze. I have no idea what would have caused this. I forcibly closed my client and tried to re-login, but it told me that "Your account has not logged out from its last active session." I was really confused by this message and just thought something was wrong with their servers. So I just waited a while, and so far, I re-logged in, and everything seemed okay at first. Most of my level 40 adamant equipment was taken off then stored in my bank, which I thought was weird, and everything was still there... so I thought.
It wasn't until several hours later when I was training my skills that I noticed I had no money. So I checked my bank because I thought it would be in there, and nope... it was all gone. I also checked my bonds a few minutes after, and noticed they were missing as well. I don't know what happened, was is a bug, or was it stolen? I had to wait 2 days to find out after a response. But I basically just lost $35 worth of virtual currency in the same day after buying it with my own money.
Their message is as follows:
- Beginning of E-mail reply
Hi [Name Redacted],
Thanks for contacting us about your recent item loss.
It looks like you have lost your items due to a security/scamming incident. Unfortunately, as described in our lost items policy, we're only able to return eligible items that have been lost due to a recognized service disruption or confirmed bug.
I understand this isn't the news you were hoping for and how frustrating this could be, but isn't a decision that has been made lightly. [Yeah, right]. To prevent this from happening again, please follow our advice to safeguard your account and in-game wealth.
We hope you understand [I really don't] and wish you all the best on your future adventures.
For help with any other issues, check out our Support Centre.
Kind Regards,
Mod [Name Redacted]
Jagex Support
- End of E-mail reply
This mod was at least polite in this E-mail, but that's the summary of it. Apparently they have proof that this happened to me.
Before this E-mail response, I looked more into this, and it turns out that account hijackers/crackers are still a thing in 2020. What the fuck? I'm sorry but, I thought that after 15 fucking years, Jagex would have learned to implement better, hardened code by now to secure their fucking systems or something. If someone can circumvent the game's security so easily, what's to stop other possible attacks? What insurance do players really have? Nothing?
Basically, nobody wins because of account hackers. If Jagex keeps charging players money, and Jagex does nothing to compensate players due to hackers, the player will have their money stolen, the hackers will have stolen that money and can use it however they want, and Jagex will slowly suffer due to a lower player base, because they don't get the support they need, and nobody wants to get hacked. Basically, the hackers win, and it's because Jagex is allowing them to win, and neither the player base and the company are actively fighting back. Why is this continuing to happen?
Now the excuse is to use a bank PIN and two-factor authentication. I will go over my next complaint about the passwords, but let me just say the problem with this...
A bank PIN and two-factor authentication will NOT protect the items your character is WEARING. I was hacked while I WAS STILL LOGGED IN. If that's possible, ANYONE CAN BE HACKED AT ANY GIVEN TIME. If at any SPLIT SECOND someone decides to pull out money or wear expensive equipment, could they can have it stolen? Fuck... THAT! Why should ANYONE play this game if they can't even feel safe wearing their usual equipment?
The worst part is the sheer irresponsibility from Jagex. I know for a fact that they do not replace equipment that is stolen. I'm sorry but I PAID actual MONEY for those bonds and coins. You cannot just do that and act like that it's ethical. I hear horror stories of people getting 500m or higher "rares" (very rare and no longer dropped) equipment in the game. I really feel very sorry, even if they are strictly F2P players, and especially if they are P2P. Those people should obviously be compensated back, or refunded if they paid for any of that equipment from Jagex themselves.
Some people are nice enough to help out and compensate other people, but that's not the point here... Jagex themselves should be doing it, not other players. Jagex administrators obviously have the power to do it, but they refuse. I mean, if you look at the Java source code for many Runescape private servers (RSPS), there are commands to generate all sorts of items and coins easily. That's a fact. There's no excuse for not helping out. Legitimate players should not be responsible for the lack of security and responsibility that Jagex shows.
Also, side note, the 2FA implementation sucks pretty bad. You can tell the Runescape client to not prompt you for it easily, I believe. It's actually much more beneficial to set up the bank PIN, because it seems like account hackers have no way around this... but I wouldn't hold your breath. It seems that these people are getting more clever and dangerous. If they can hack you while you're still Online, I question when are they going to figure out how to circumvent the PIN as well, even without the PIN reset.
I also won't go into detail of how hackers get your account, but apparently they can trigger a password reset, and get into your account that way. I mean, wouldn't they need to have access to my E-mail? I have a secure E-mail (I won't reveal the name), and it was never breached, to my knowledge. I am very certain they did it without using my E-mail.
Anyway, this really made me upset. Jagex had one last attempt to help me enjoy the game, and they blew it. Now for the last big problem. Read below.
---
4. Jagex does not salt and hash the passwords you use to log in
This is another big problem, and very common mistake that some companies present, due to lack of security practices and understanding. I have heard from someone who claimed that you are able to log in to your account with a case insensitive password, and that IMMEDIATELY set off a HUGE red flag in my head VERY QUICKLY. The only excuse I can think of doing this would be to help younger players who don't understand password security very well, or an accidental usage of the Caps Lock function on the keyboard, as to help them log in regardless. But unfortunately, in this day and age, there is really NO excuse for bad password security, and NOTHING can excuse storing passwords in plain-text on ANY computer with live Internet access.
Anyway, the person who claimed that was absolutely correct.
I typed in my password all lowercase to learn that I could log in that way.... And that means that Jagex is holding your password in their servers in plain text, and not using a proper hash and salt for your password.
Okay, so to understand why password hashing is so very important, it's also imperative to understand what a hash is. I'll try to explain it as briefly and simply as I can. A hash is means of using one-way encryption to create what appears to be a garbled string of text, that cannot, mathematically, be decrypted back to the original password. I'm not going to explain what hash salting is because... honestly that's something I don't fully understand how that works myself, either.
Now what is the point of this, you ask? Well, a proper hash algorithm (the math behind making a hash) has to create a UNIQUE hash for every unique set of characters that your password has. For example, if you use "Tubular" as your password, it will make a very different hash than if you used "tubular" as your password. This automatically increases the strength of passwords by a lot, assuming a good, standard hashing algorithm and secure protocols are used.
Jagex should then store this hash in their server (with a salt). When you enter in your password in the Runescape Client, it should then create a hash using the hashing algorithm on your computer, and then compare the hash on the client with the one on the server, NOT the passwords. This way, Jagex will never know your password, and anyone who tries to exploit Jagex's Runescape database will never know your password.
But wait! What if... someone could exploit and get a hold of Jagex's database of passwords?
That's right, that would be a massive breach. That means EVERYONE can be hacked. EVERYONE. That would be a huge embarrassment if that happened for sure! I'm sure the player base won't suddenly drop and dwindle off by half or so if that ever happened, right?! Ahem....
I'm sure Jagex would never let that happen. Never.... Oh boy.
So anyway Jagex, please fix your fucking security holes already. You're a terrible company that is ruining your own game slowly and surely. I'm done supporting and playing Runescape until I can feel safe and comfortable playing it. Otherwise, fuck off. The end.
Jumping forward to 2020, I already knew that "Runescape 3" was a thing. I never saw gameplay footage of it. I booted up for the first time, jumped right in, and I was pretty blown away. The graphics were quite nice and pleasing to the eyes, the clean and customizable interface was lovely, and I loved that some of the classic "Runescape 2" elements were still being used, like the text typeface and item icons. It is still as charming and nostalgic as I remember. I actually finished almost all of the F2P quests for the first time! It was fun.
However, a few large issues with the game still remain:
---
1. Membership Restrictions
I will be fair here and say that Jagex really does need a way to pay for their server's operations, and other assets they own, but the free-to-play aspect of Runescape feels so incredibly restrictive. I get it, I really do know why they do it this way, but I would rather just buy a game, then play the whole thing, like Monster Hunter World, or Guild Wars 2, for example. Maybe those games have in-game purchases, I don't know, but those should always be optional, and not interfere with aspects of gameplay. But lack of membership does interfere greatly with gameplay in Runescape, to a very annoying degree.
I always have to figure out and remember which things require membership to use. And it's so annoying. I really hate this. I wish they would stop doing this, and just either decide to make Runescape free-to-play and add optional in-game purchases, or make it completely subscription based with no in-game purchases. Instead, they do both, in a really terrible way. I feel like people tolerate this, instead of argue with it. And that just really pisses me off that nobody cares enough about this.
This old model does not work well for most people anymore, and they refuse to change it.
---
2. Short AFK Timer, and Obsessiveness Over Bots/Macros, and Bug Exploits
The AFK timer in Runescape is set to 5 minutes. When you don't move your mouse on the active window for that period of time, you get logged out and taken back to the lobby screen.
I'm sorry, but that is WAY too short. Max length should be something like 30 minutes, minimum 15 minutes. It is a bit annoying from time to time, especially if you are doing long smithing sessions, where you can open the smithing interface and, you know, start smithing a whole inventory of things. That takes a lot longer than 5 freaking minutes to smith all of that stuff. I'm sure there are other reasons to not pay attention to the screen for over 5 minutes, but it's just odd to me that they chose something that short.
If a player wants to be AFK, then let them be AFK. What's the big God damn deal? Why is Jagex policing people who either want to go AFK, or use macros in the game? Macros don't harm anyone, not even Jagex. However, if a macro or bot is purposefully trying to cause a direct DOS attack on a server, along with multiple bots trying to DDOS, then that's the only situation I can see where it harms players and Jagex.
Most people say that AFK training is cheating, but I respectfully disagree. Skill grinding can honestly be boring for some people, depending on the situation. And for most other players, they love it, but would rather farm more efficiently, or easily. So players might use a bot/macro, then check up on it once in a while. Maybe it's a macro that's semi-automated, but they still have to run, then bank, then run back again.
Again, I really don't see the harm. Macros can do anything a normal player can do, and some hardware/software macros can be programmed with high-precision random timers to hide themselves very well anyway. Nobody can prove or disprove they are using a macro unless it's plainly obvious. Has Jagex ever banned someone by accident when all they were doing was just being as efficient as they could with their own hands? I'd like to know. Nobody has to say if they've gotten away with macroing, obviously. Hahaha.
Now a bot that actually cheats, and can perform actions that a player CANNOT do is something I do not support. Performing actions outside of the game's programming and logic, such as bug exploits, are actually detrimental to the rest of the players and community.
Now I don't think players should get permanently banned for bug exploits, but I think that bugs do happen, obviously. And maybe a punishment of a few days are fine. Do they do that already? I'm not sure... Anyways, proper disclosure of bugs should be taken with praise. I hope more people do it, without fear of getting banned because you accidentally discovered a bug that you accidentally exploited, once.
---
3. Account hijackers/crackers, server bugs, and lack of responsibility from Jagex
Recently something happened to my account. I'm not necessarily sure what happened, but I explained it in as many details as I could in an E-mail to Jagex. I lost 21M (remainder that I sold from a bond) and 3 bonds in my inventory that was stored in my currency pouch, or whatever it's called. I used one bond for membership already. Basically, I bought 5 bonds with $35, and 3 bonds and 21M were gone.
I was just chopping a tree, and my client froze. I have no idea what would have caused this. I forcibly closed my client and tried to re-login, but it told me that "Your account has not logged out from its last active session." I was really confused by this message and just thought something was wrong with their servers. So I just waited a while, and so far, I re-logged in, and everything seemed okay at first. Most of my level 40 adamant equipment was taken off then stored in my bank, which I thought was weird, and everything was still there... so I thought.
It wasn't until several hours later when I was training my skills that I noticed I had no money. So I checked my bank because I thought it would be in there, and nope... it was all gone. I also checked my bonds a few minutes after, and noticed they were missing as well. I don't know what happened, was is a bug, or was it stolen? I had to wait 2 days to find out after a response. But I basically just lost $35 worth of virtual currency in the same day after buying it with my own money.
Their message is as follows:
- Beginning of E-mail reply
Hi [Name Redacted],
Thanks for contacting us about your recent item loss.
It looks like you have lost your items due to a security/scamming incident. Unfortunately, as described in our lost items policy, we're only able to return eligible items that have been lost due to a recognized service disruption or confirmed bug.
I understand this isn't the news you were hoping for and how frustrating this could be, but isn't a decision that has been made lightly. [Yeah, right]. To prevent this from happening again, please follow our advice to safeguard your account and in-game wealth.
We hope you understand [I really don't] and wish you all the best on your future adventures.
For help with any other issues, check out our Support Centre.
Kind Regards,
Mod [Name Redacted]
Jagex Support
- End of E-mail reply
This mod was at least polite in this E-mail, but that's the summary of it. Apparently they have proof that this happened to me.
Before this E-mail response, I looked more into this, and it turns out that account hijackers/crackers are still a thing in 2020. What the fuck? I'm sorry but, I thought that after 15 fucking years, Jagex would have learned to implement better, hardened code by now to secure their fucking systems or something. If someone can circumvent the game's security so easily, what's to stop other possible attacks? What insurance do players really have? Nothing?
Basically, nobody wins because of account hackers. If Jagex keeps charging players money, and Jagex does nothing to compensate players due to hackers, the player will have their money stolen, the hackers will have stolen that money and can use it however they want, and Jagex will slowly suffer due to a lower player base, because they don't get the support they need, and nobody wants to get hacked. Basically, the hackers win, and it's because Jagex is allowing them to win, and neither the player base and the company are actively fighting back. Why is this continuing to happen?
Now the excuse is to use a bank PIN and two-factor authentication. I will go over my next complaint about the passwords, but let me just say the problem with this...
A bank PIN and two-factor authentication will NOT protect the items your character is WEARING. I was hacked while I WAS STILL LOGGED IN. If that's possible, ANYONE CAN BE HACKED AT ANY GIVEN TIME. If at any SPLIT SECOND someone decides to pull out money or wear expensive equipment, could they can have it stolen? Fuck... THAT! Why should ANYONE play this game if they can't even feel safe wearing their usual equipment?
The worst part is the sheer irresponsibility from Jagex. I know for a fact that they do not replace equipment that is stolen. I'm sorry but I PAID actual MONEY for those bonds and coins. You cannot just do that and act like that it's ethical. I hear horror stories of people getting 500m or higher "rares" (very rare and no longer dropped) equipment in the game. I really feel very sorry, even if they are strictly F2P players, and especially if they are P2P. Those people should obviously be compensated back, or refunded if they paid for any of that equipment from Jagex themselves.
Some people are nice enough to help out and compensate other people, but that's not the point here... Jagex themselves should be doing it, not other players. Jagex administrators obviously have the power to do it, but they refuse. I mean, if you look at the Java source code for many Runescape private servers (RSPS), there are commands to generate all sorts of items and coins easily. That's a fact. There's no excuse for not helping out. Legitimate players should not be responsible for the lack of security and responsibility that Jagex shows.
Also, side note, the 2FA implementation sucks pretty bad. You can tell the Runescape client to not prompt you for it easily, I believe. It's actually much more beneficial to set up the bank PIN, because it seems like account hackers have no way around this... but I wouldn't hold your breath. It seems that these people are getting more clever and dangerous. If they can hack you while you're still Online, I question when are they going to figure out how to circumvent the PIN as well, even without the PIN reset.
I also won't go into detail of how hackers get your account, but apparently they can trigger a password reset, and get into your account that way. I mean, wouldn't they need to have access to my E-mail? I have a secure E-mail (I won't reveal the name), and it was never breached, to my knowledge. I am very certain they did it without using my E-mail.
Anyway, this really made me upset. Jagex had one last attempt to help me enjoy the game, and they blew it. Now for the last big problem. Read below.
---
4. Jagex does not salt and hash the passwords you use to log in
This is another big problem, and very common mistake that some companies present, due to lack of security practices and understanding. I have heard from someone who claimed that you are able to log in to your account with a case insensitive password, and that IMMEDIATELY set off a HUGE red flag in my head VERY QUICKLY. The only excuse I can think of doing this would be to help younger players who don't understand password security very well, or an accidental usage of the Caps Lock function on the keyboard, as to help them log in regardless. But unfortunately, in this day and age, there is really NO excuse for bad password security, and NOTHING can excuse storing passwords in plain-text on ANY computer with live Internet access.
Anyway, the person who claimed that was absolutely correct.
I typed in my password all lowercase to learn that I could log in that way.... And that means that Jagex is holding your password in their servers in plain text, and not using a proper hash and salt for your password.
Okay, so to understand why password hashing is so very important, it's also imperative to understand what a hash is. I'll try to explain it as briefly and simply as I can. A hash is means of using one-way encryption to create what appears to be a garbled string of text, that cannot, mathematically, be decrypted back to the original password. I'm not going to explain what hash salting is because... honestly that's something I don't fully understand how that works myself, either.
Now what is the point of this, you ask? Well, a proper hash algorithm (the math behind making a hash) has to create a UNIQUE hash for every unique set of characters that your password has. For example, if you use "Tubular" as your password, it will make a very different hash than if you used "tubular" as your password. This automatically increases the strength of passwords by a lot, assuming a good, standard hashing algorithm and secure protocols are used.
Jagex should then store this hash in their server (with a salt). When you enter in your password in the Runescape Client, it should then create a hash using the hashing algorithm on your computer, and then compare the hash on the client with the one on the server, NOT the passwords. This way, Jagex will never know your password, and anyone who tries to exploit Jagex's Runescape database will never know your password.
But wait! What if... someone could exploit and get a hold of Jagex's database of passwords?
That's right, that would be a massive breach. That means EVERYONE can be hacked. EVERYONE. That would be a huge embarrassment if that happened for sure! I'm sure the player base won't suddenly drop and dwindle off by half or so if that ever happened, right?! Ahem....
I'm sure Jagex would never let that happen. Never.... Oh boy.
So anyway Jagex, please fix your fucking security holes already. You're a terrible company that is ruining your own game slowly and surely. I'm done supporting and playing Runescape until I can feel safe and comfortable playing it. Otherwise, fuck off. The end.