Horizon Strikes Again

No. Gil is just a value in a database, a database which is generated by software that is completely homebrewed and protected by emulation precedent. "Their coders" aren't relevant cause the software private servers use isn't in any way made by Square. None of that code is theirs.

That's why editing the client itself is where the issues begin. That software IS their property. A majority of servers don't do this (they just use whatever the most recent retail version is) but the bigger ones tend to have custom clients to change how the game looks.

Even though that client is free to users, you aren't free to edit and disperse it for money as a distributor. That's where IP theft begins.

You'd basically be arguing that you're providing the option to connect to a server, or selling database changes on the server. Because you're not providing the client, it's up to the user to decide how to connect, and any copyright infringement is done on their part.

As long as you aren't distributing any of SE's intellectual property, the server itself is probably legal. Case law on this is relatively limited, and in most jurisdictions a judge would have difficulty understanding the details enough to rule properly. So, even if it's theoretically OK, it's something that would require considerable due diligence to be sure of.

I don't think anyone here is actually a lawyer and can fairly advise on the legality of it, but this is the prevailing understanding afaik.

You're confusing distribution with licensing. There is no shortage of freely downloadable software that is only legal to use with the purchase of a license key and/or an ongoing subscription.

The download page specifically states that downloading the client is free, but playing the game is not. Any group that promotes or supports using/modifying the official SE client to play without a registration code or subscription is on thin legal ice no matter what backend software they use.

I am not confusing them at all. There are servers - like Horizon - that take the client, edit it to remove Square Enix branding, as well as apply their own edits, etc. over the top, and then they serve that client to their players via their own custom launcher. This is cut and dry distributon.

Other servers will just tell you to go to the normal SE website and download the normal retail client. During this process you're exposed to official branding and are offered the option to play on the retail servers if you choose to during the download process. What users do with the client once they have it is up to them, they're the responsible party for what happens at that point, not the private server owners. At that point the culprit is users, and Square isn't going to go after every individual user. That's why you never really hear about this sort of thing happening.

It's a weird legal dance that they do. When I spoke with my lawyer about the legality of things before we launched Wings, she made sure to make it extremely clear where the line of legal liability was, which is the only reason I know ***-all about this subject.

Asking a lawyer doesn't really mean much, unless they specialize in that field and they are competent. And if you're complaining about money as you do, chances are they are garbage and you paid them tree fiddy so don't know what they are talking about.

It was a copyright lawyer. Their main field is DMCA/music industry stuff, but they were familiar with the emulation context because they researched before our meeting.

Also I wasn't complaining about money, simply stating the fact that I lost it in the pursuit of Wings' continued existence. There's a reason I ended up being the one to foot that bill - I could afford it. Owning a restaurant in 2018 was a lot different than owning one in 2021, lol. I wasn't about to sink another few grand into the server at that point.

This is all assuming they are aware of it to begin with.

Has SE ever aggressively enforced anything of this nature? Wasn't there some drama about a FFXIV PS a while back? (nm I was confusing it with a different MMO)

The issue isn't the software, it's the service they offer that you are offering in a competing manner. You are not allowed to do that.

Nobody using the service thinks this is anything but ff11, you cannot offer a service you do not own and deny a company of the profits of that monthly service.

You can't just steal someones code, redirect it to your server and cut them out of the $14 a month they made it to benefit from.

These points sound very similar to the strategy of the (former) Yuzu team, in that the emulator itself was as legal as they could make it, had legitimate uses, and the Yuzu team did not distribute any of Nintendo's code or keyfiles.

The dev team settled and shut down rather than go to trial, likely because Nintendo made a credible argument that Yuzu was primarily used to facilitate piracy, and they backed that up by documenting the guides and support offered openly in the official yuzu community. Plausible deniability isn't so plausible when you're routinely helping users do the thing you claim ignorance of.

It might be possible to run a private server with zero guides or support, but I can't imagine that would be fun for anyone involved.

That's because it works. Yuzu is a different beast because the games require identifier keys from official hardware to play - which is proprietary info to Nintendo. This was the same reason they didn't allow Dolphin (the GameCube/Wii emulator) onto Steam.

As someone currently studying data security this hurt me immensely to imagine.

It's extremely common.

It's somewhat more excusable in the C/C++ APIs for most databases, but a lot of high level languages/frameworks you really have to go out of your way to screw it up and people still do. There was one we looked at (I forget what it was), where executing a raw query was called query_exec_unsafe() or something similar and they were still doing it with parameters pulled from input sources. We've reviewed code where we reported several dozen at a time that we found manually (automated tools are trash at finding these), to the point reporting them all took more time than finding them.

If you end up doing a lot of source code audits/reviews, it's not even close to the dumbest thing you'll find.

It's not a 1 to 1 comparison, but it's fairly close. "What users do with the client once they have it..."

SE could easily argue that private servers exist primarily to allow people to play XI without purchasing a license key or paying for a subscription. I understand that you feel your server was legally secure, but if they had come at you with that tactic, would you have gone to court over it?

I'm not suggesting SE is preparing to summon the lawyers; My point is that there's currently no way for an XI private server to be "legal enough" while the only client that works with LSB is the proprietary one.

probably the people running the servers are selling gil on horizon

"Oh yeah the production server broke at some point so we just redirected everyting to test and called it a day. It works fine, why are you pale?"

"I made the code a lot more efficient when I removed all the dumb checks. Instead, I check all the values in javascript on the user's pc! We use his cpu instead of ours! Isn't that smart?"

"Yeah the boss wants everyone to have an unique user and password but you can forget them and just use xxxx/yyyy to login into the client. The IT guy who knew how to give access was fired sometime ago so nowadays we all just share this account when we need those customer profiles and that works perfectly fine."

The flashbacks are not pleasant, man.

Did someone say Lawyer? ....Where's Velner when you need him?

Pure copium lol

Kind of correct but not (or not just) from the guides: As I understand it Yuzu landed where it did because Nintendo had them over a barrel because they had engaged in actual piracy with evidence in their discord, and discovery would have crushed them. Their settlement had them saying anything Nintendo wanted them to say. And Nintendo would very much like to change the public's beliefs about what is and isn't legal to their advantage. This is a company that has in the past tried to argue emulation in and of itself is illegal, which is factually false.

We should also keep in mind that a big giant company can win even if you technically didn't break the law in your locale or bleed your finances dry till you stop fighting if they don't.

SE seems to mostly not care about private servers for the time being. That might change if they begin to perceive it as real competition to their product, or acquiring money they think should be going to them, or possible damage to their brand. Those would likely unofficially be the tipping points but not be the official reasons for action though. Officially it would likely be something about use or distribution of assets, trademark, or the circumvention clause of the DMCA. But right now there is no chance they don't know, they just don't see it worthwhile to do anything about at the present.

Would be best for the scene of nobody provoked SE really, regardless of opinions on legality.

Arguing over legalities in a case like this is like thinking arguing with a massive dude and winning means you win an argument, no he will just punch you in the face and throw you in the river.

Big companies punch you in the face with lawyers and their fists are made of money.

This is why all these people fold, it doesn't matter who is right or wrong.

Horizon is one of the dumbest bunch of brainlets I've ever seen cause they are trying real hard to get SE to set a precedent, and if they actually did decide to come after them they would fold real quick cause none of them are rich enough to fight a legal battle that could last years.

Not only could this bring all the other servers down, but the parent project too.

This is why you're supposed to fly under the radar, and why most servers do so.

see, we could have been talking about the importance of your vs you're, and really improved the FFXI community as a whole, instead we've descended into legaleze..../sigh ;)

We killed, not one, but two different MRI machines with a port scan. One so badly they had to fly a tech out to fix it and it wasn't even on purpose, we were helping with something else and they failed to block it off when we asked them where their embedded stuff was. Think basic nmap scan and it was unusable for over 12 hours. The answer when we asked if they planned to fix it was no. When we asked if they could isolate it with something in front of it, same answer. So there they sit, probably still. Oh and one of them still ran Windows XP and this was ~2014, it hadn't had updates applied in about 6 years, which is very common for medical devices.

On the code side, how about this for an authentication scheme: Client sends auth message, server responses with the entire list of usernames and passwords (in plaintext) to the client, the client checks the entered creds and compares it, then sends a message that yes, it is correct. This was in some code I reviewed early in my career and I know at least one other person who has seen the same thing in something different.

We saw so many hardcoded sa passwords (as in hardcoded in the code, can't be changed without recompiling, extremely dumb password put in documentation everywhere) we had to template the reporting item because we got tired of writing about why it was bad every time (the databases were network accessible). Same with hardcoded symmetric encryption keys, which we also had to template to explain that when you distribute the same key to everyone everywhere it's bad, at least 50% of the uses of this are downright scary too.

Then there are entire protocols used for integration between medical devices that don't support any security features whatsoever, not encryption or authentication. This is slowly being fixed, but it's difficult because when you deal with 25 year old devices that can't be updated, it means you can't change the way it works. You can sit on a hospital network and see all sorts of ***go by depending on what types of devices they have. We created an agent based workaround to kinda help with this but no one uses it because if they use it and someone elses ***breaks, they will get blamed (and tbf given how fragile some are, it might actually break something).

There is worse but it's too recent or easily identified for me to smear across the internet. All things considered, I don't usually fault someone for oops-i-accidentally a SQLi somewhere because there are often much worse things going on and they are typically pretty easy to find and fix.

This is all bad and there is worse, but at least these folks are trying. What really keeps me up at night is the state of the security industry, it's such a *** joke. We've seen reports done against embedded devices that some of our "peers" did and they literally ran a nessus scan and that was it. Against an embedded device. "No findings", well no ***. They love coming in acting like leet h4x0r swinging *** around and treating devs like ***when they've never seen a line of code in their life. I worked with one who didn't know what a compiler was and he was put in charge of application security at a software company (he was actually a great dude and it wasn't entirely his fault). The irony being that if you ask the people who write the software, 90% of the time they know where all the problems are but couldn't get political coverage to fix them, they are more than happy to tell you and more or less kickstart doing the job for you if you don't act like an ***, but that's too hard for most of the industry.

it's always astounding that this ***comes back to legality.

SE could shut horizon down, end of story.

SE likely does not care enough about ffxi (shown in every action that they take) to shut down horizon.

if you made a ff14 private server you would get a C&D faster than you can possibly imagine

Don't hurt your back moving those goalposts.

90% of private server players would never even touch Retail.

This moral high ground you see yourself on is nothing more than a logical fallacy.

Another 5 post account with only horizon crap lol

I just want a private server where I can buy gil for pennies and give an underpaid chinese gilfarmer piloting 30 different characters the same gil I just bought from him to clear all the content for me
wait that's Asura my bad

You think you're proving your point, but what I hear you saying is: 10% of private server players would be playing retail. Seems like they hurt retail then, huh?