UOForums was lucky enough to spend some time with Tony Ray, founder of the Punkbuster software, which is soon to be beta tested with UO.
Here are the questions we sent him and his subsequent answers..
1) From PB TOS:
Is this information kept? If so, for how long, and to whom is it made available?Licensee understands and agrees that the information that may be inspected and reported by PunkBuster software includes, but is not limited to, devices and any files residing on the hard-drive and in the memory of the computer on which PunkBuster software is installed.
The wording of the legal agreement quoted above has to be broad so that users understand the scope of what PunkBuster can look at (which is everything). If there was something PB wasn't able to look at, then the cheat-writing punks would just make their cheats and hacks "look exactly like" whatever PunkBuster limited itself from inspecting so that the whole effort would be wasted. PunkBuster does obtain hardware and device identifiers but those are mangled before transmission so that no one (not even ourselves) can determine the original information used to create what it is transmitted. We can't for example know what someone's hard drive serial number is from these transmissions, and certainly cannot know what personal information of any kind is stored on the user's computer.
Tony Ray: Since PunkBuster is integrated at the source level for all games we support, our engineers work with the game dev team to get the integration accomplished, tested, etc. In the case of UO, that has already been completed and was a great experience. We are really looking forward to working with the whole UO team.3) What is the biggest difference between creating a PunkBuster program for a FPS and a MMORPG?
Tony Ray: The biggest difference is in how PunkBuster's auto-update works. For FPS games where there are only a relatively few players per server, PunkBuster at the server auto-updates the PunkBuster clients when necessary. For MMO environments, PunkBuster clients obtain their updates directly from our master auto-update servers so that bandwidth used for updating does not choke the game server after a new update is released.4) Are all efforts PunkBuster makes client(PC) side? Or would it be possible to have the system work inside the servers?
Tony Ray: PunkBuster has always been a client/server application. The PunkBuster server is in control. It requests information from the PunkBuster client running on the end-user's computer along with the game. The PB client must then supply the answers in a timely manner. The server then looks at the answer to determine if a hack or otherwise disallowed condition is present and takes the necessary action (i.e. remove the player with a message, etc.).5) Does PunkBuster disallow play if a "problem program" is simply installed on the player pc, or must it be running?
Tony Ray: By default, PunkBuster does not look at any files on the hard drive nor the registry, it only scans memory for the presence of something running with the game. So with a plain vanilla installation of PunkBuster at the server, only running programs will be detected. There are, however, optional settings and commands that allow server administrators to look for the presence of unwanted or modified files on the hard drive. It is up to the UO team whether or not to use those optional tools on the servers they provide.6) How does PunkBuster plan on handling Hardware/Global Bans between FPS's and MMO's? Will they carry over, or will they be mutually exclusive?
Tony Ray: At this time, we plan to leave all banning decisions to the UO team. For Ultima Online, PunkBuster is currently designed to report what it finds to the GMs and it is up to the UO team to enforce their own policies. At least in the beginning, players who are Hardware banned for hacking PunkBuster in some other game will not be Hardware banned in UO.7) Do you play any MMO's? If so, which ones?
Tony Ray: The only time I have to play games these days is when testing PunkBuster. That is one thing I had to sacrifice personally a few years ago to see this project succeed. However, having said that, before the project was initiated, I played computer games frequently (many hours per week). The only MMO I ever played was Ultima Online. That was back in 1998 after the Second Age expansion was released. I loved the game and for awhile I didn't play anything else.8) What are the levels of bannings? (temp-how long. perma ban-warnings?)
Tony Ray: That will be completely up to the UO team. By default PunkBuster will keep a player off of a server for 2 minutes after kicking for a cheat violation.9) What are the review processes for bannings? If one feels they were wrongfully banned how would they file for a review? Would it be to EA, PB, or both?
Tony Ray: At least initially, all banning and everything related will be through the UO team. If we at some point begin to Hardware ban in UO, whatever procedures that are in place may or may not change at that point.10) Will the "banning" process be automated as on FPS's, or will a GM have the ultimate say BEFORE the ban occurs?
Tony Ray: That will be up to the UO team. When PunkBuster kicks for a cheat violation, the GMs will receive a report of the details for that violation and will have their own procedure for dealing with it.11) I run two computers on broadband off a router. Will this be a problem, and, if action is required to allow this to continue, will I have to be "computer literate" or can a computer "newb" make the necessary adjustments?
Tony Ray: Except for perhaps some really old NAT routers, there shouldn't be any problems running multiple computers with no action required on the part of end-users. All modern routers that I'm aware of (by that I mean released during the last 5 years) will handle the net traffic properly. In some cases, you may need to update your router firmware as there were some buggy firmware version releases a couple of years ago on some name brand routers that drop PunkBuster traffic. In our experience, this is likely to affect at most only a few people who play online games at this point.12) How will "false positives" be resolved? This goes to the first question.
Tony Ray: We have been detecting cheats and hacks for many years. We are very happy with our record in preventing and also in handling false positives the few times they have occurred. And furthermore, our procedures for finding and dealing with the possibility of false positives has improved dramatically during the past five years. In the old days we used to work one on one with players who claimed to have been kicked for something when they were not running a cheat nor hack. We used those experiences to develop safeguards that allow us to now determine false positives often before any are even triggered by an end-user and remove those from our system. The way false positives are resolved is that we remove any bans that may have been triggered and then we make a public announcement on the affected game(s)'s support page(s) on our website so that server admins, leagues, etc. will know what they are dealing with.13) Since "false positives" are an admitted possibility, how can one best prevent it occurring? (Here, we're ASSUMING that the person isn't running any forbidden programs and has done nothing to change the underlying program (UO))
Tony Ray: Every false positive we have ever seen occurs when a user is running a little known or newly released program that happens to have a footprint/pattern that looks exactly like a cheat we are scanning for. So, other than closing every other program besides the game, there is really nothing an end user can do. Despite what may be claimed on cheat/hack websites, PB false positives are extremely rare. Most of the games we support have never had even one.14) Has EA actually looked at the source code to determine EXACTLY what the program does and what it does not do?
Tony Ray: All of our clients have access to some of our source code (the part that is integrated with the game). However, the full PunkBuster source code tree has not been made available to anyone outside of Even Balance. Since we frequently auto-update, adding layers of approvals would slow down the process to where it would not be effective. Speaking to that issue, I'd simply say that there is safety in numbers, over 20 million game players run PunkBuster by their own choice. We're not about personal information, we don't want the names, email addresses, etc. of our users - we don't even sell advertising on our own website which would be substantial income as we pull in significant traffic. The last thing we want to do is get bogged down with being responsible for the personal information of our 20+ million users (we have enough to do already) so we just avoid the issue entirely by not gathering any information that could be considered personal.15) How many CLAIMS have been made over the past 5-6 years that an employee of PunkBuster has gained access to anyone's computer with the intent of either "browsing our private," or stealing private information, or causing damage to a customer's computer? Of these, how many were verified?
Tony Ray: I am aware of a couple of "articles" that have been written over the years but they never contain any verifiable information (because there isn't any). Some of these have "screenshots" but we all know that a screenshot can be made to look like anything the author wants it to look like using photoshop or whatever. These "articles" always turn out to be written by a punk cheat author who is (without merit) just trying to attack our credibility. We have a spotless reputation inside the gaming industry and that is something we are extremely proud of. There is only one person in the whole world up to this point who has released a PB update (myself) so I'm confident in saying that it is truly impossible for any Even Balance employee to have breached the trust of one of our users. Various members of our staff contribute to the code base, but I personally make all source changes and builds manually prior to each update. Plus keep in mind that accessing someone's computer is breaking the law (at least in the U.S. where we are based). Not only would such a person lose his/her job, but would also likely go to jail.16) Does PunkBuster scan my hard drive or the programs which are currently running? If it scans my hard drive, exactly what is it looking for?
Tony Ray: By default, PunkBuster only scans memory. The optional file scanning tools that some server admins use look at files inside the game's installed folder hierarchy and send back file signatures that can be compared to known legitimate files. If the signature doesn't match, PunkBuster knows that a file has changed that shouldn't have. Some admins also use these tools to see if a file signature matches the signature of a known hack. We do not use this method by default because it only catches the laziest or most naive cheaters who don't even try to rename files plus we like to keep file accesses to a minimum for lag reasons, scanning memory in chunks during gameplay creates no oticeable lag.17) How will PunkBuster in UO affect those who are on dial-up? (Lag issue)
Tony Ray: Users with 56K modems (or less) will experience noticeable lag during PunkBuster DLL updates which will probably occur on average around once per month for UO. We distribute a free tool called PBSETUP that these users can run before playing if they choose to check for updates so they can be installed quickly before joining a shard. The use of PBSETUP is covered on our website at evenbalance.com.18) Who dictates what PunkBuster scans for and how (the original game creator or the PunkBuster team)?
Tony Ray: The PunkBuster team has ultimate control over our software system and how it works. However, we always follow the desire of our clients in kicking for specific programs that the game creators consider to be hacks or cheats of the system.19) Is there anyone, say a dis-interested party, to verify PunkBuster is scanning for illegal 3rd party programs only (kind of like checks/balances)?
Tony Ray: I'm not sure I understand the question. I'll try to cover the subject matter. When PB takes a screenshot, it is *only* of the game window. If the game is not running full screen, PB ignores anything outside of the window containing the game. When the game is minimized or not the active application, PB returns a blank screenshot saying that the game app was not active. Some admins will kick if this happens too many times. If you are talking about launching a graphic program in the background while playing, that would only cause a kick if the program "looks like" a cheat program in memory from a cheat pattern perspective.21) In the business world, the additional costs to operate and provide a service is ultimately passed on to the consumer.
Tony Ray: hmm, I think this phrase is actually part of the next question...22) Will this increase the fee per month for Ultima Online, in the near future?Tony Ray: This is (of course) up to EA and the UO Team. However I will say that I doubt that this has even been considered. I'm not aware of a single game we support where it is considered that the PB support cost is significant enough to warrant adjusting the end user's cost. For most games we support, the user base either increases or is sustained over a longer period than was originally hoped for, so we expect our clients to actually increase their profit by selling more units or subscriptions due to adding PunkBuster without the need to increase the end user's price point.Special thanks to Tony for answering all our questions and thanks to all our posters and staff members for submitting them.
(This question has since been answered by Darkscribe, there will be NO increase in the monthly subscription fee)