Wednesday, November 28, 2012

Spies please X up

"Logis X up" or "Firewall X up" is a call for pilots of certain ships to put an X into fleet chat to notify the one who asked about their numbers. TEST has another running joke "spais X up", where "spai" is a leetspeak for "spy". Someone carelessly reading always X up for common hilarity. Also, when someone asks "where the fleet is", he gets some "spy" comments, but soon someone gives him exactly what a spy would want to see: the fleet location.

To my surprise, I wasn't kicked for spying. I am trying to find the recipe of success of HBC and communicate to others, including enemies. If I do it right, I aid the enemy by giving them vital info. This is the definition of a spy. Yet the only comments about my activity in the forums were "we never had an EVE-University spy before", referring to that teaching people is an EVE-Uni thing. Also, when forum porn got out, no one started to seek who was the spy of EN24 because no one cared. Spies are considered unavoidable and not worth fighting off from the grunt level. There is no spy check in Dreddit and you aren't asked to provide private information to TEST via API if you are just a line member.

Let me point out something crucial: if you have any form of spy detection, you are not newbie friendly. You can anchor cans, spam them via mails, recruit on the forums, assign them teachers, give them start money, celebrate them and all, it means nothing if you have spy detection. You ask the newbie to fully trust you: give you his full API, contract you his ships, put things into the corp hangar and so on. In turn you give him no trust. He won't get your API, he won't get your ships and he won't have access to the corporate hangar. If he is a true newbie not yet adapted to the EVE culture, he will find such "full cavity search" in a video game offensive. If he is newbie in a sense of being in highsec only for half year, he'll be suspicious and expect recruitment scams.

Only veterans understand the need of spy detection in EVE. Only veterans see the difference of risk between the corp and the member. Only veterans can see the load on leadership. So only veterans will not be offended by your request to fully trust them without getting any trust in return. In the moment you tell a newbie: "prove that you are not a spy" via any technical means, you probably lost him.

To make it worse, a newbie can easily "be" a spy without any bad intention. He is unaware of security measures and can easily tell or do things that will give crucial information to the enemy. Then he'll be kicked as spy. Let me entertain you with my own newbie mistake: I wanted to cap up the titan during travels but couldn't target it (after jump there is immunity I didn't know about). So I told something like "I can't lock you titan for some reason". I did not see which tab I clicked and told it in local, to the amusement of the fleet and the "spy" spam. Local channel is now on the other side of the screen, away from fleet. The only way for a newbie to avoid such information leak is constantly be in doubt and double-check every action to make sure. Not a fun way of playing.

There is an alternative to spy detection: spy-resistant policies. For example if you only haul 1B in a freighter, you won't be suicide ganked even if everyone knows your location. Similarly the titan I gave out in local wasn't bothered since he used a well-designed and well-known titan midpoint with several supercaps being able to rescue it in a minute. Having spy-resistant policies is necessary to operate in a newbie-friendly way.

Why do most corporations choose spy detection instead? Because spy detection lets the veterans go easy. If no one knows that you are hauling 10B in that Rifter, it will probably get to Jita as no one scans Rifters. You can move your fleet without scouting, you can leave valuable ships in a POS shield, you can manage items without having to deal with passwords or limited access cans or whatever. Spy-resistant policies are demands towards the veterans how to act in order to remain safe despite likely spy attention.

No one wants to make extra effort for other people, especially for newbies. It's much easier to let the HR guy do some extra work and the others play as they want. The costs paid by newbies are ignored as they aren't members yet. So we can assume that every corp will prefer spy detection over spy resistance. Why does Dreddit stand out by being probably the only nullsec corp with no full API request? Are the Dreddit veterans are some superhumans who are ready to make the necessary sacrifices for newbies they don't even know yet?

No, I think Dreddit veterans are just as players as everyone else. However the corp size give them no choice. If you have a HR guy who can catch a spy with 99% chance and your corp picks up 10 new members a year, you'll be damaged by a spy once in 10 years. That's acceptable. However Dreddit gets about 100 new members a month according to the Dotlan graph, so Dreddit hangars would be emptied every month if it wouldn't be designed in a way to be able to operate with known spies on board. It's simply impossible to keep spies out of a large corp, therefore it forces the veterans to suck it up and make the extra effort or deal with the inconvenience that spy-resistant policies mean. Without the paranoid and offensive measures of spy detection newbies both feel welcomed and can learn without always having to fear that they make some serious trouble by a mistake.



I somehow missed this kill last week. I'm without words. The Kestrel of PLEXes is now dethroned.
The purple ratting Machariel with warp disruptor and nanos is an interesting thing too.
13B Freighter is bad enough but since his killers used drones, I'd guess he died to war targets which makes him a capital idiot.
The Goons keep doing the Lords work in Uedama. The Lord do not wish thee to fly 12B worth of totally random crap in a Freighter.

21 comments:

serpentinelogic said...

spychecking is important in industrial corps, because CCP's corp security scheme is terrible at stopping industrial sabotage.

Granting access to corp-controlled labs implicitly allows a character to see what's being produced, by whom, where, with the ability to cancel any job.

a spy said...

That's an interesting post.

I have played eve for 5 months now but i am an intelligence officer in N3, in a large newbie friendly alliance (yes you can guess easily).

First we recruit newbies, as we don't have a large natural pool of recruitement, like Dreddit, we use more direct ways ie convoing/mailing people in high sec in system where the tutorial takes place. That way we can recruit people pretty much from day 1 but we still ask them to go through a complex process : they have to give us their API key and to register on our website. And ... it works ! we are growing extremely fast, it's comparable to Dreddit. And even with that policy we are very very resistant to spying.

However i think you have a good point, asking for the API key is pretty much useless as a competent spy can always avoid detection. Without asking for it we would recruit even more people. On the other hand asking for it has good aspects... the first that i can think of is that those that accept it will probably be more willing to go through the proccess of setting up jabber/coms and make efforts to learn the game. Another good point is that it's still a decent way to avoid causual spies (typically spies with 57k SP ^^ or spies that transfer money to their main).

Also, and i know that very well, it's not because you aren't aware of any form of spy detection that it doesn't exist. Even with a spy-resistant policy some form of counter-spying is needed. I mark people as "suspect" so that we can watch them closely and go through their API key, we investigate the API key of people that may become officer and so on...

Gevlon said...

important industrial jobs should be ran by alt-corps exactly because of that.

Anonymous said...

Simple Spy Prevention:

Only allow people in that people who know the new person IRL vouch for.

works for quite a few corps.

Gevlon said...

Kidding? That limits the corp to RL friends so probably the 40-50 member size will be out of reach.

IO said...

"The purple ratting Machariel with warp disruptor and nanos is an interesting thing too."

What? You do realize it's a PVP ship and the guy had shitloads of kills in it? Check his killboard.

Gevlon said...

PvP ship with no buffer? That's new. I only heard of bombers and instacanes and maybe cloaky-nano tornados run around with no buffer. But they don't have warp disruptor either.

Also, battleship guns have low tracking and he had no web to do anything with smaller ships getting close to him.

This is merely a bad-fitted purple ratting machariel with a purple warp disruptor died to a small gang.

Anonymous said...

One corp I was in had fairly high background checking, including finding someone who knew the area you said you were from to check whether you were actually from there.
Spy checking is quite fun to do, although sadly, most infiltration attempts are very simple to spot :(

Bobbins said...

'The Lord do not wish thee to fly 12B worth of totally random crap in a Freighter. '

I just want to remind everyone that after 4th Dec the Orca's corporate bay will be viewable to scanning. I expect a significant number of orca kills perhaps even after reshipping after a 'lucky' gank.

Anonymous said...

I totally agree with the comment from the anonymous above, more than 90% of all spies are very causual, with a bad API key, some obvious lies and so on. It doesn't hurt toget them into your corp though as you may very well guess from where they come after a time.

Spies that have a clean API key, that want to FC, that have useful suggestions or that are extremely friendly/social are the big deal. When you see them it's already too late.

Anonymous said...

Gevlon the Mach fit is standard for solo/small gang minus the cost.

The way you fly that ship is to maintain distance and get people to chase you or run away, cutting transversal down. The majority of your tank is your speed and range, so you do not want to get in close to web someone. He should only be taking small amounts of damage at a time, hence the active tank. If he does get tackled, he drops ECM drones on the target and attempts to neut it out. He also probably has a falcon alt.

Notice also that he is smart enough not to use officer guns. He uses T2 guns specifically to be able to load Barrage ammo to hit out at greater ranges.

I need to make a google account called 'the waffle' or something so I can stop posting anonymously.

IO said...

:Gevlon:

After half a year of playing EVE I thought you learned at least a bit not to comment about stuff you have no clue about (e.g. solo PVP), but alas it doesn't seem so.

The guy has 71.7km overheated Warp Disruptor range with Loki boosts. You have good enough tracking even with large Autocannons at such range. He will kill most of small ships from far away with guns, or close with drones.

Speed is 2.3km/s or 3.4km OH, so he can outrun majority of ships encountered in 0.0.

"Active shield tank" - active booster + cap booster were quite common for solo PVP before age of ASB. With HG Crystals his tank is pretty good to survive long enough to kill his enemies.

The guy has some 400 kills with his Machariel setup. Quite pro-ratter, isn't he?

Gevlon said...

@IO: a "ratter" ship is one that's designed to kill predictable enemies. It is very possible that he ratted players effectively in this horrible fit, but - like all ratters - he depended on his enemies being predictable and act as he want them to. Namely he needed to dictate distance of the engagement.

Just like when a therm/kin rat damage tanking ship meets a PvP-er with EM damage, he was dead in the second without hope when he met someone who didn't act as he wanted him to. Maybe he jumped into a 3-man gatecamp and was scrambled/webbed so couldn't gatecrash. Maybe he pointed the cruiser and the T3 warped off and warped back to his head, webbed and killed him. We don't know. But with this ratting fit he had no second chances. Either everything happened as he wanted them to happen or he died.

Phelps said...

FWIW, this is how the real military works as well. That's the whole point of compartmentalized information and OPSEC. It's why the Swedish field telephones that I have say "FIENDE LYSSNAR" on them even though you have to be physically tapped into the line to intercept it. ("THE ENEMY IS LISTENING.")

You have to assume that the enemy can get the intelligence given time. That's why you control access to the critical information until the last minute. People can't give up info they don't have.

Sugar Kyle said...

Gevlon that's PvP in general.

Its not a shit fit ratting ship. Going out in a mach solo mean you fly it like a solo mach. It has hard counters like anything and he got caught this time. That's part of the entire thrill of PvP. He put that ship on the line time after time. This time he lost it.

A loss a shit fit does not make.

Anonymous said...

Regarding the Mach, his internet connection died, it was written in teh comments, by the guy who lost the mach.

Also as was already stated, it is a pvp fit. Active tanks with cap boosters are not that uncommon outside of blobs. In regards to him not having a web to deal with smaller ships, he did have 5 med web drones, as well as a heavy neut to shut off MWDs.

Either way I enjoyed reading your thoughts about API keys and what not, I tend to believe the same in regards to corp security.

Johnicholas Hines said...

You've detailed many aspects of Eve that increase in effectiveness with scale (where scale here means number of people in a team sharing, for example, comms, whether that team is a corp, alliance, cartel, or something else.) The necessity of spy-resistant policies is one cost to increased scale.

Based on your posts, I guess if you were graphing some measure of effectiveness vs "size", for combat fleets, you would have a long increasing tail to the right. That is, at least above some reasonable size, bigger is flat out better. But below that reasonable size, are there interesting wobbles?

For example, is there a natural size for a team such that going a little larger is actually not an improvement? Where the good options are to stay the same size or to get a lot larger? That would look like a bump, a local optimum on the effectiveness vs size graph. Perhaps solo is that sort of natural size.

Each different kind of team is likely to have a different effectiveness vs size graph. Combat fleets are just one kind of team. For example, an industry team probably does have a natural size beyond which it is not worth expanding - it doesn't have the forever bigger-is-better slope off to the right - because too much would be sacrificed in spy-resistance and other costs of scale.

Anonymous said...

Have you even read the comments on that kill? That should be enough for even you to notice something.

Additionally, dictating range is key in PvP if your not in a brawler ship, which that one isn't.

Sorry, Gevlon, but fail on small scale PvP for you.

Yagamoth said...

Hiho Gevlon,

I know this is not necessarily related but, I suggest you read the Wikipedia articles about "Confirmation Bias" and "Self Fulfilling Prophecy". Then take a step back and think about everything ^^

I have nothing else to add. Thanks for sharing your viewpoint in this Blog

Anonymous said...

@IO: a "ratter" ship is one that's designed to kill predictable enemies. It is very possible that he ratted players effectively in this horrible fit, but - like all ratters - he depended on his enemies being predictable and act as he want them to. Namely he needed to dictate distance of the engagement.

So now you redefine the term ratter to suit your own argument and still bang on about how 'terrible' his fit is?

There is PvP outside the blob - buffer is necessary to contend with alpha - because the repping power of your logistics is pointless if your entire bank of hit points can be blown away in a single shot.

In smaller gang things, and moving down into solo fighting, the ability to play the positional game becomes more important. For this you need speed and agility. In general you will not be engaging hostiles with enough alpha to break your tank in a single volley so you can afford to go for an active tank set up.

Soloing with a buffer is ... kind of dumb when you think about it. your tank will eventually be eaten through with no hope for repair..you can be worn down. Where as an active tank requires the enemy to bring a minimum dps just to overcome the repping power.

as for the purple - good on this guy for using it. He had the confidence to go into a fight with some super shiny things. Those that drop shiny loot in proper PvP get a hat tip from me.

Anonymous said...

First of all - current fleet location is easily visible via starmap -> My Information -> My fleet members.
Please do all of EVE a favor and spread this knowledge whenever some idiot asks where the fleet is.

Second - you (still) are incredibly naive if you really believe that "if you have any form of spy detection, you are not newbie friendly".

I'm too tired to write a whole post about spying in EVE but here are the bullet points:
(1) It's better to have a grunt-level spy you know about in your corporation that you know about than to kick him and have him replaced with a spy you don't know about.
(2) high-level spies (with access to FC or director channels) can cause very serious damage (but planted spies are less common than disgruntled members turned rogue)
(3) "The murderer is one amongst us" is the stuff that witch-hunts and mass panics are made of.

(3) is the cornerstone of any anti-spy policy. Smart alliances implement it the following way:
A. Neutralize spies by preempting their actions.
Make as much information publicly available as possible, e.g. by making your Announcements forum public or by posting alliances updates to kugu as a matter of policy.
B. Use ridicule ("spais please X up") to make spies appear less threatening and to shut down panic ("they must have a spy on our comms!!!") before it can spread/escalate.
C. Stay below the radar with your spy-hunting operation. It's ok for people to know in an abstract sense that you are doing counter-intelligence amongst other things. But being constantly reminded of that fact will only actualize their fear of spies.

Examples for "silent" spy-hunting:
* Watermark important forums posts. Either by replacing whole words with synonyms (hard to remove for the spy but easy to notice if he has a way of comparing his version to other versions; can't be fully automated, author of the original post has to provide sensible synonyms) or by replacing single letters with equally looking but different unicode letters (easier to remove - just c&p into a text editor that only supports ascii but harder to notice in the first place; can be fully automated). Some small modifications to your forum software and posts can be watermarked for each user (e.g. encoding his userid).
* Log IP addresses and online times. You log in to Mumble and you leave a record. You log in to the forum and you leave a record. You log in to jabber and... you get the idea.
Instead of allowing your auth system to discard all this information, store it and cross-reference with information you acquired from other sources (e.g. IP lists harvested from hostile forums, information about when a hostile spy must have been online based on the intel he passed on to his masters, ...).
* If you have API keys - don't just do one check at recruitment, pull the information available via API at regular time intervals (every few days) and store it in a searchable database. Automated checks for red flags are certainly no mistake but just being able to go through API logs ex post (after the target has already deleted his API keys, spirited away stolen assets, thrashed his evemails, ...) can be extremely valuable.
* ...

If you think these examples are over the top - well, then you are wrong.

Subscribe to the goblinish wisdom