Confession

Status
Not open for further replies.

Meat Hacker

New member
Although this post is directed to KoL administrators more that KoLMafia creators, we thought it would be useful to post this here as well. There are some features that need removing in KoLMafia to prevent this from happening again.
---------------------------
We begin in the Fall 2006, with a character by the name of jcarter. He was the first of a hundred, then three hundred, and eventually fifteen hundred characters. He and those after him spent their days at the old Icy Peak, then moved on to the Castle when conditions changed. What follows here is a description of a now-defunct meat-gathering operation.

Our initial goal was just to show that it could be done; that people would pay money (and plenty of it) for goods in the Kingdom of Loathing. Well, that much we already knew, evidenced by the (at the time) thriving market for meat, food, and rare items. The first prize we set our sights on was a nice dinner at a local Brazilian steakhouse, which would run around $100 for the three of us. The programs we wrote and ran would gather this much in Kingdom currency in a few weeks time, and shortly after we succeeded in transmuting virtual meat to the real thing. It was delicious.

There seemed no sense in stopping, so we set out towards our next goal; paying for a Wii for each of us three. Two months later, we had that as well, along with a few casualties along the way and many new ideas and methods for continuing and growing the operation. We continued to run until May this year, and have since shut down our experiment in virtual retail. All in all we gathered some 2.5 billion meat and extracted $4,000 from all too willing buyers.

The Method

#1 - Automation
Playing two or three characters per day by hand is tiresome, but playing six hundred per day as such is impossible; without KoLMafia that is. This delightful program's robust scripting language gave us all the tools necessary to log in, level, farm, eat, and drink our way to billions of meat. The initial work on this consisted of building a script that would level a character from zero to farming, quest where necessary, and procure equipment and supplies. Our script played with amazing efficiency at lower levels, dragged a bit in the mid levels, and monotonously farmed forever after. The design was basically a state machine controlled by quest state, level, and stats. Two or three weeks was typical for these characters to reach farming level. The 1500 characters that ran this script leveled up with zero assistance from other players, so we didn't technically break the letter of the law, though we trampled the spirit of it pretty thoroughly. Additionally, these characters never benefitted any of our own characters, merely our real world pockets.

#2 - Aggregation
Making a sale requires that meat be moved in large quantities, unfortunately a rather conspicuous act. Our first round of character deaths resulted from our initial and very primitive method of mailing it all to a single character and from there on to the buyer. This mistake claimed roughly 100 accounts. The next approach we used was aggregation though the mall. This works fine, to a point; we suppose that the sheer volume of transactions in the mall is too great for Asymmetric to monitor with complete fidelity. However, as our 100 surviving characters were joined by 200 newly farming-level accounts, we ran into another hitch. Apparently selling 90 million meat worth of three-million-percent-markup meat paste in a single day set off a buzzer in Kingdom headquarters, and we lost nearly all of the 300 active accounts (jcarter and a handful of other early ones survived). In the end, this scheme worked just fine, as long as we limited a single store to fronting 100-200 characters at a time.

#3 - Don't Get Banned
This operation went beyond the point where it could be defended by a "technical" adherence to Kingdom rules, and so required a level of anonymity for accounts involved. The strategy here was to use KoLMafia's own proxy feature in conjunction with Tor, an anonymizing, multi-layered, peer-supported, free proxy service. Through Tor, our characters would log in from a different IP each night and day. This met with mixed results. Although this does effectively mask your identity by routing traffic through numerous machines across the world, it is rather slow. Also, the number of end-nodes (those users who open their machine to routed traffic) is limited, so we still have a limited set of IPs from which to play. Later on in the program, when we reached our peak of 600 active accounts, we believe this limitation resulted in the last, and largest loss of nearly all 600 accounts (jcarter, 9/06-4/07).

#4 - Character Generation
This was one solution we had to engineer all ourselves. In the beginning (for the first 100), we did it manually. Hotmail, Yahoo, and Gmail were happy to oblige the accounts we set up to receive activation emails. Eventually this became tiresome and we developed a few tools to automate the process. We used throw-away email accounts such as those offered by Shortmail and Ipoo. We generated random real names from recent census data, using the most popular last names and about 70% male, 30% female first names. An abundance of badly named characters can also be trouble, as we discovered when 300 or so accounts were lost because I forgot the census data was formatted in all caps (so the names were all along the lines of JOHN SMITH, MARY BAKER). The character names themselves were the most interesting to generate. Among dozens of possible name formulas used were combinations of two names, a name and a number, an adjective and a name, or a title and a name. These were wonderfully authentic and passed for real creations without question. In fact the random names were more in line with the Kingdom than a lot of 'real' player names we encountered. We wrote programs to submit account creation requests, real the activation email, and confirm the account, generating a new account once every 30 minutes to be less obvious. This also ran through Tor so the new player would appear to be from different IPs.

The Results

Of the 1500 accounts made, all 1500 reached farming level. These were primarily disco bandits, armed with a leprechaun and everything else you'd expect. Cheap gear and skills that add to meat drops. They typically made 110,000 meat per day after expenses and sales. At the height of the operation, there were briefly 600 active farmers, for a total of 66 million meat per day. In cash terms, that's roughly $110 after fees. If maintained for an entire year, that rate amounts to over $40,000 a year. Our operation wasn't nearly that fortunate, but it did pay for dinner, a few Wiis, and a few month's rent. The market began around $1.80 per million meat and rose to $2.00 before currency sales were outlawed. We invested about 80 man-hours in the project over its eight-month life, for a return of about $50 per hour. Not bad.

Two and a half billion meat later, we have advice to those who would rather this sort of thing never happen.

#1 - Report Sales
Anyone can do this. Simply search for auctions of virtual Kingdom goods and notify the auction site. Many will take these down quickly and inform the auctioneer not to post similar auctions. This has all but eliminated the main market, but should it reappear, this is how to make it disappear again.

#2 - Break KoLMafia
This tool allowed us to do so very much. Mafia should discontinue the proxy feature (for obvious reasons) and remove the ability to send hand-crafted URLs (this allowed us to complete the tavern quest before Mafia fixed their function and train skills automatically). Consider closing the source. Trivial modifications to the source enabled us to craft URLs to target our mall-buying for essential meat aggregation. Without this tool, this project would still be possible, but we probably would have lost interest before it carried away as it did.

#3 - Forbid Throw-Away Email Domains
Don't allow accounts to register with ipoo.org domains. There are other such services, and you should ban those domains as well. If you look at characters made in May, about once every 30 minutes a new ipoo.org address registered an account. The confirmation code is a weak system for ensuring real people are playing. A CAPTCHA system would have deterred us very early on.

#4 - Watch Tor
Tor in particular allowed us to hide, but it has weaknesses. There are a limited number of exit nodes, perhaps only a few hundred. Catalog these IPs and correlate them to accounts. Though legitimate traffic may come through Tor, it is worthy of suspicion.
 
Status
Not open for further replies.
Top