Can this really be considered lost revenue? It's unlikely that all 1,000's of the "free" games were going to be purchased at the current price. You run in to the same questions with piracy. Were the pirates really going to pay if they couldn't pirate?
The lost revenue should really only come from customers who would have paid the asking price but managed to get an illegitimate deal, plus whatever support and overhead costs can be applied to the game downloads.
Yes because some (most of the ones worth paying for) of the games require some sort of server. So every new player in a game is not free for EA. Giving away a game means they will lose money on this person if they play online.
The costs are also very difficult to determine, where $1 sounds a bit high to me. Lets try to do some random estimates for a random game: 30% of the users wont touch the game whatsoever, and will just have it on their "list". Of the buyers, 0.5% will require some sort of support effort in relation , where 65% are handled by the auto-response and 30% by the first email by an employe.
Say a total of 5,000 downloads are from this "free" coupon for any specific game title. Would $500 or $5000 sound closers to the actually hosting/support cost that the publisher has.
Consider however you have to download Origin to get the games and play them. A feat they've been struggling to get gamers to do, so every gamer that got free games is actually worth a lot to them and probably wouldn't have bought any of these games anyway as they're mostly old and lame.
It's pretty much a win for EA which is why I expect they let it continue so long.
Someone needs to come up with a term for this, "hypothetical maximum lost revenue" or something.
I don't have an issue with anyone quoting this sort of number (retail cost x lost units) but they need to make clear exactly what it is, which isn't actual revenue or profit.
Is it me or does the author of this article, and the abusers of the exploits he writes about, land on the wrong side of both the law and common morality?
Surely EA being a "terrible company" has nothing to do with whether it is okay to steal their products? Moreover, just because there was a coding error/oversight, again doesn't mean it is okay to steal their products? If you have a complaint about a company or discover an exploit, surely there are other more ethical channels to pursue the matters?
For the record, I dislike some of EA's conduct as much as the next person.
Yes this rubs me the wrong way. I think it's analogous to a retail store (say, an Apple store) leaving their front door unlocked overnight. It's possible to go in and take merchandise. After all, it's not your fault they left their front door open. You could even argue that Apple's business practices are morally questionable, so they deserve to be taken advantage of . (I'm not trying to make any statement about Apple. It's for the analogy.)
You could argue that the situation is different with virtual goods, since they have an incredibly low marginal cost, but I think that the situations are morally analogous. The games aren't supposed to be free.
Not really. It's more like Apple issuing you a coupon for a free iPod Nano, but when you go to checkout with the iPod Nano and a Macbook in your cart, the cashier tells you they're both free.
It may still be unethical, my point is just that there are shades of gray here.
I understand your point, but I disagree. There is a marked difference between being told by a cashier that the MacBook is also free, and exploiting bad coupon code mechanics for free products. Primarily, the coupon code users knew that the code was broken (the door was unlocked) and proceded to abuse it.
From my understanding, the coupon recipients knew that the coupon was supposed to only be for a single $20 discount. The only shade of grey in this case (as far as I am aware) is that there may be a user who used the code and unwittingly received a discount applied to multiple products. I believe that the majority of people in this case knew that it was unethical (and possibly illegal) but rationalized it by saying that EA deserved it.
Except that, in that case, Apple will loose a lot of money
from the free hardware.
In this case, the only real loss for EA is the bandwidth.
Since it would be safe to asume that the downloaders
wouldn't have bought a lot of games at the current prices.
Sure, but I don't think that's relevant to the discussion. It's hard to quantify, but there is some set of those downloaders who at some point in the future would probably have bought one of the EA titles they received, so there is some actual lost revenue. I suppose that's their lesson for pushing bad code into production.
But it shouldn't matter. Real loss isn't necessary for it to be a unethical (or worse, a crime).
Is it actually true that real loss isn't necessary to be unethical? You couldn't possibly provide an example? I am having trouble imagining such a situation.
(I would argue in terms of importance, ethics > crime)
Is it actually true that real loss isn't necessary to be unethical?
Plagiarize a paper in college, you have caused no real loss but still been unethical. Say you knew the topic very well and could have done the work yourself, you just plagiarized because you were lazy to get around the whole you harmed yourself argument.
Yeah, that is a good point. I had this idea that it most ethical questions are to do with other people.
Like stonemetal alluded to, in a pretty esoteric sense you are harming yourself by bringing yourself into disrepute.. but that is just quibbling. Also I guess the 'scientific' method employed in marking papers is as a proof which you have not given. Though you may have done the groundwork it does not automatically follow that you are able to reliably produce the required results. You may also then be bringing the school into disrepute... but, probably not the central issue here.
I don't agree that EA's reward is diminished UNLESS people who would have otherwise bought these games did not (which I would then absolutely regard as stealing) and ASIDE from the very real argument about server time (which I would argue is a separate instance of theft).
I don't think the social contract argument holds much beyond the idea of patronage ie. I have a duty to support the content producer, but no such duty to allow him to profit. That is arbitrage, I may find it worth my while to allow it, but I have no duty to support it. In abstract Kant-ian terms (thanks for the link, jogged my memory of all those philosophy subjects I studied way back when) if all the world rejected arbitrage people would only make things that were really valued (in real terms, some over-production allows for innovation of course.. things are never so simple).
In fact, in the OP, he mentioned that on some boards people were justifying their actions by saying that they were taking back some of the money EA had taken from them over the years. This could be read as taking back the profits, or the arbitrage, which they no longer felt were justified given EA's continued mistreatment of their custom. (or, of course could be read as a petty way to make themselves feel ok about stealing).
stonemetal's point about plagiarization is excellent. I had in mind something along the lines of media piracy, except in EA's case there is an actual cost (since their bandwidth provided the content, and their servers will have to support it when they go online). I think the majority of people accept the fact that piracy is ethically wrong, even if there is no cost to the producer. When you pirate, you are enjoying content that someone else produced with their finances, time, and talents. The social contract is that in return for that enjoyment, you support the content producer by purchasing a licensed copy so they can be rewarded for their efforts. When you pirate, you deprive the producer of that reward.
The same deprivation occurs here. EA's reward for publishing these games is reduced or removed because people acquired them when the "door was unlocked".
I do not know enough about formal ethics to express my point here, but I would look at http://en.wikipedia.org/wiki/Categorical_imperative under Perfect Duty to show how the concept of piracy doesn't hold up under the Categorical Imperative.
The exploiter's gain is greater than EA's loss, especially when you consider that EA desperately wants people to use Origin. That doesn't make it ethical, but I won't shed any tears over it.
I think the analogy is wrong. EA didn't lose any physical copies.
I think a better analogy would be Chapters/Barnes & Noble (A Book Store) had accidentally put in free to use high quality photocopiers inside their store. The photocopiers were intended to be free to use, but not intended to be used on the books in the store.
Your argument isn't morally analogous because theft implies EA were deprived of something (EA still can sell and play their games), when the issue at hand is the EA botched up controlling access to their product. In your argument, Apple can't sell the stolen merchandise any more.
The more important part for EA would not to be to "punish" or claw back copies. That genie is out of the jar. They should just chalk it up to marketing and move on (fix the technical issue).
"Your argument isn't morally analogous because theft implies EA were deprived of something (EA still can sell and play their games), when the issue at hand is the EA botched up controlling access to their product. In your argument, Apple can't sell the stolen merchandise any more."
This whole "if you still have the physical object, you weren't robbed" is a rationilization. If your school decides not to give you a diploma you still have whatever you learned - but now the value of your education in the marketplace has been reduced.
Repeat after me: "Taking something that isn't yours without permission is stealing."
But... the fact that the servers honored the code being used multiple times _is_ permission. You can't assume that this wasn't EA's intent, (although it's almost certain it wasn't). Ultimately, the onus is on EA to make their system work right.
I'm not arguing that people who abused the code weren't doing something wrong, but it is not cut-and-dried. However, I definitely disagree with the idea that they were "stealing".
I think a better analogy is when a business accidentally advertises a product at the wrong price. They are required by law to honor the advertisement even if it was a mistake. This is much closer to the situation with EA than the idea that they "left their front door unlocked", etc. Regardless of other circumstances, the transaction was legal, and I think the law might well require EA to honor it... but I don't know the details.
Another analogy would be issuing a coupon and forgetting to include "limit 1 per customer", or even having a salesperson giving out free product, who misunderstands and doesn't limit the product to one per customer.
Would customers in those cases be considered "stealing" if they took advantaqe of these situations? I don't see how that can be argued. Could they be accused of being greedy? Definitely, but as much as people might wish otherwise, being greedy isn't against the law.
FWIW, I didn't use this code, and wouldn't have exploited it even if I had. I have too much great stuff already from GOG, Steam and Humble Bundle, etc... that I don't have time to play it all. I have no need nor interest in exploiting anyone in this way.
But... the fact that the servers honored the code being used multiple times _is_ permission.
I'm not sure. It's my understanding that the intent (and legal TOS) of the code was "limit 1 per customer. Non-transferrable." The fact that the server allowed it doesn't change the fact that the intent was for it to be used once.
Imagine a bowl of candy out during Halloween. There is a sign that says "Take only one". The fact that this house failed to implement a means of controlling how many people take doesn't make it OK to take two handfuls.
The important distinction in this case is what the legal language of acceptable use was, and not what was possible through the (broken) server. If you fail to print "limit one per customer" on your coupons, that's a lesson learned. If you DO print "limit one per customer" but fail to validate that at the self-checkout lane, and people abuse it, that's fraud.
*This all predicates on whether the actual language stipulates that the code really is only good for a single, non-transferrable use.
I don't approve of abusing the exploit, and I did not abuse the exploit. I put that paragraph in because I thought it was interesting that some people were indeed using that argument as justification for using the promo multiple times.
I think it is a little more nuanced than simply being 'not okay'. Whether it is 'okay' or 'not okay' is a personal moral decision, which though I might agree with you (for myself), I would not push that morality onto someone else. I would however give a reasoned argument as to why I think it is or is not okay. Ethics are not clear-cut, and ethics do not equal the law.
As dkokelly points out, this cannot be thought of as lost revenue. The vast majority of games taken here would never have been bought otherwise, and it is unlikely that any of these games will be devalued by having a wider audience. So it is spurious to describe this as simply stealing.
EA has a history of disrespecting their customers' privacy, security, payments, and computers, as well as (as the op mentions) questionable ethics. They don't seem to value their customers except as a cash cow to be milked to death. This is a message, an imperfect, impure, but pretty bloody strong retributive message. To draw a long bow, think LA riots.
But still, does that make it okay? I just think each person needs to assess that for themselves. It certainly has a ring of just desserts about it. Speaking for myself, it would depend on my motives. I would put that if the gamers are more interested in getting a positive response from EA than they are in free games, I would suggest they protest by dumping their EA games in an online equivalent of a big bonfire.. 4chan maybe :|
But I would agree that a more ethically clear-cut channel could be actually more effective - but just not because it is more ethically clear-cut. if they really want a positive response from EA, rather than just to protest (or steal), they need to publicly and loudly stop buying EA games.
I don't know what this is going to cost EA, but this may end up being a good thing. People hate Origin but more importantly, all their games are already on Steam, so they just continue to buy from Valve. This might get a few people to keep Origin installed on their computer and help the Origin network effect out. Up until now, EAs only strategy has been to make their big name franchises Origin exclusive. This will probably work better and may not end up costing them much.
They actually pulled most of their top titles off Steam when Origin launched. Mass effect, Dragon Age etc. If you already own them on Steam then they remain in your library but you can't buy them on there anymore.
Dragon Age 1 and Mass Effect 1 & 2 are still available on Steam. Interestingly, they pulled Crysis 2 then a few months later added Crysis 2 Maximum Edition.
For Dragon Age 2 and Mass Effect 3, I agree with their reasoning. Steam doesn't allow in-app purchases that circumvent their distribution system, and that's a load of crap.
steam isn't an open 'app store' though. It is entirely curated through valve. Valve chooses the games to list and if they aren't happy, they will not ask you to list with them. They could easily refuse to sell games if you did that.
Crysis 2 came back once no more DLC was going to be released - hence 'maximum edition'.
The no in-app purchases which don't cut in Steam was introduced when they began allowing free-to-play games on the service (which are usually monetised by microtransactions, and would be a money-loser for Valve if they didn't make a cut from them). I don't know why Steam can't make an exception for EA titles (or those purchased from the store rather than F2P), but that's the reasoning.
(I apologize in advance for linking to my own blog, but I had not seen this issue reported on any tech blog nor appeared in the "new" queue on HN, so I wrote a quick post this morning on the issue, as it's technically interesting.)
> The proper way to implement a promo code is logical: when the user attempts to apply a promo code, the server checks, has the user used this promo code before? by querying SELECT FROM transactions WHERE user_id = current_user AND promo_code = “OS3874XVC”. If the result set is empty, then the user hasn’t used the code, and everything’s good to go.
Be very careful here, it's not as simple as it looks. If you don't do the correct locking it is very easy to have timing attacks which allow keys to be used twice.
We learned this the hard way after posting a one use key for our game on 4chan. A thousand people rushed to try the key and around 100 people managed to get in using it.
... That's not a timing attack. A timing attack involves measuring the time taken to return an invalid response to a password attempt and, given enough tries, figure out the password based on this. It usually takes advantage of the way that string-matching code is written in libraries. Preventing this is not nearly as simple as you may think; for example, recent research shows that over a long enough period of time and enough attempts, it is possible for an attacker to factor network latency into their timing analysis.
What you're describing is not the result of an "attack," but rather the result of code that wasn't designed to deal with database locking. You weren't hacked, nobody attacked you; you just didn't design your system to deal with tons of people trying to write/read the same thing at the same time. Again, it's a tricky problem, so it's understandable (and a lot of people would consider dealing with such issues to be "premature optimization").
I will also note that the OP needs to stick to his MySQL Cookbook rather than commenting on coding practices for large-scale, heavy-usage web applications. His code suggestion is terribly naive, arrogant, and embarrassing. Yes, EA made a mistake; no, you have no clue what the hell you are talking about.
Yeah, time-of-check-to-time-of-use attacks are not usually described as "timing attacks" but instead just called TOCTTOU. In this scenario you might also say "exploiting a race condition".
It really isn't as easy as it sounds, is it? A better approach might be to UPDATE promo_codes SET used = 1 WHERE ... AND used = 0, and then check that one update occurred. Or if your db supports it, SELECT ... FOR UPDATE OF ... and then update if the code is not yet used. You want the check and the update to occur atomically. And this varies depending on databases, for example in Oracle even if you explicitly begin a transaction, a select does not lock the row (unless you specify FOR UPDATE OF) so if you do the check and the update in separate statements, you still have a race condition).
My friend recently linked me to Path of Exile's expansive passive skill tree. Pretty inspiring to play around with that without even knowing anything about the game. I've pined for that kind of skill tree since I was a kid.
Sorry to comment off of the content of the post, but when I load the page the Like button flickers shown/not shown a bunch of times causing annoying visual jitter. I'm on Chrome 22 if that is relevant.
On my main page, I use AJAX to load the Share buttons when the user mouses-over the post itself, so that they aren't loaded all at once. Specifically, it loads the HTML, then runs it through each social service's HTML parser to render the buttons.
On individual blog posts, the buttons did not load because the DOM element is not present for that template. However, the parser still ran on mouse-over, which is what caused the flickering. So I just disabled the parser when the user is on an individual blog post.
From what I can tell, that's on Facebook's end, as all the Facebook plugins seems to flicker occasionally as well. I'll look into it, although there's nothing unusual with my front-end code that should be causing unusual behavior...maybe CloudFlare caching issues?
I don't think you have characterized the problem accurately (or at least completely). The coupon allowed you to add dozens of games to your cart, then applied the $20 off to each individual item instead of just one, or against the total. It was a logic problem in applying the coupon on the server side.
This article missed the earlier Reddit thread where a separate exploit was discovered, that the coupon applied to every item in the basket. $20 off of everything. Coupled with a coupon from a different forum you could add tens or maybe hundreds of games to your account for free in one large bundle.
IANAL, but it's possible that these users are now liable to pay for the extra games. They knew that the code was only usable once, yet used it multiple times. EA might ask for the games back or charge the users.
(I'm not taking EA's side, I'm just pointing out some possible consequences.)
If they did try to charge for the games they would get enough chargebacks that they would have a hard time processing credit card payments for a while. And with chargeback penalties they might actually lose money.
The only sensible options are a) do nothing or b) revoke games purchased with these codes. If I were them I would do nothing and treat it as an unplanned pricing experiment. Since a lot of these games have an online component (network effects!) the "giveaways" might increase real sales overall.
Even if that's the case, it would be unwise for EA to pursue this money. All anyone would have to do is issue a chargeback - which by the way incurs penalty fees for EA. More than that, it costs $25 for EA to file a challenge to a chargeback, making it completely not worthwhile.
Going after this money would be a PR disaster, a legal quagmire, financially negative in all likelihood, and permanently damage their relationship with their payment processors.
I would instead invest more money in hiring proper architects.
I would think that the transaction was perfectly legal, and that EA could in no way force people to pay for the games. I wouldn't however, be opposed to the idea that EA could revoke ownership of any subsequent free games obtained once the code had been successfully used, but it would be a PR nightmare if they did.
EA's only reasonable option is to eat the loss and write the cost down as a "lesson learned".
Isn't there precedence to this? For example, cases where Amazon priced something wrong and people bought at that price, even through the the price was almost certainly unintentional. I would think Amazon would have been obligated to honor the bad price until they discovered and changed it just like companies are on the hook for honoring mistakes in ads (although I think they might be covered by disclaimers these days).
How so? EA can flip a switch to remove the games, and claim there was never a valid license. As long as EA honors the orginal terms of the coupon, I don't see how the "cheaters" were wronged.
My point was simply that the legal situation differs significantly from the standard "You stole it give it back". Pretty sure most of it would be uncharted waters, so EA removing it with a flip of a switch is essentially a throw of the dice. EA would probably win as you say, but I suspect they'll let it slide because its too much hassle & bad PR.
Your proposed solution is not that simple. You make it sound like EA simply used the wrong query.
> One, if EA is technically incompetent enough to allow such a severe bug to exist, they won’t have the technical skills to discern who used the promo code more than once.
The bug was not that obvious, and doesn't necessarily imply lack of technical skill. On the other hand, finding out who used a promo code more than once, as long as these things have been logged, should be trivial for any admin.
That a promo code could be used more than once, or that you could use it in ways it was never meant to? Of course the problem it's not simple, but anyone who thinks it is shouldn't be working on these things. Either someone screwed up building the system, or someone thought they could use it in ways it wasn't intended and screwed up. Sure, the solution might not be as simple as a lack of server-side validation, but either way, the solution is simple, the problem isn't.
According to a community manager. EA is honoring all sales made with the coupon. I was kind of expecting EA to ban some people or revoke access to some games. But I guess they just ended the promotion early. Although EA does seem to be getting some complaints from people who filled out the survey and didn't get to use the coupon.
So because of DRM, they're fully capable of taking those games "back" (removing them from accounts), right? I mean, if VALVe one day decided I no longer can have TF2 they can simply strip it from account, is that how their terms work?
I've never heard of Valve removing single games from an account before. It's common knowledge though that if you ever do a charge back for a purchased game they shut down your account and it becomes irrecoverable.
It's a blanket policy and a reason why I never use Paypal for Steam, use a real or "throw-away" credit card for Steam purchases. Alternatively, you could not buy from Steam at all, I don't anymore but it's too late for me. I already have over 200 games with them and worry about losing access to everything.
The only case I know for certain that Valve removed a single game from accounts was the time a large number of Dirt 3 keys were leaked from a graphics card promotion. A friend traded a game for one of the stolen keys, not knowing about the leak. About a day later, the game disappeared from his library with no fanfare. He didn't even get an email from Valve.
I've also heard that Valve will remove games that were acquired through the trade system if the original buyer obtained them fraudulently.
I think this is the best possible example of why you should always develop websites using progressive enhancement. First, write the app without using any JavaScript. Test it. Make sure the core logic works as intended. Then add JavaScript to make it faster, pretties, simpler to use. That will most likely prevent fuckups such as this, and it will also result in better structured, easier to reason about architecture.
This is just another sample case demonstrating how otherwise intelligent and competent people really need to be educated about web development security.
"One, if EA is technically incompetent enough to allow such a severe bug to exist, they won’t have the technical skills to discern who used the promo code more than once."
Not necessarily true - we don't have insight in to how their system is setup; and while it may not be tracking redemption of the codes on that level, it could also be attached to any transactional data that they have in place (for reporting purposes etc).
Also, it's likely the person(s) who set up that promo had little to do with the people who maintain Origin. And may not even be related to those who maintain the server.
Ironically, EA will probably try to claim the "success" of the promo by using numbers for all the games claimed as if they were all discrete individuals.
While at the same time trying to claw back the licenses.
Unique promo codes have to be generated somehow. Integrating that generation into probably outsourced survey mechanism is likely not exactly trivial and may (if not done right) open ways for anyone to generate any amount of promo codes they want.
This is one kind of problems you get when you start separating different functionality into separate applications that don't known about other parts.
The above mentioned approach is significantly simpler to implement and easier to measure (when it works! ha) than uniquely generated promo codes. So you're also looking at a cost/benefit trade off.
The CSS is based off of Bootstrap, so everything should be showing correctly on mobile and tablets (I don't have an Android device myself so I can't verify that particular use case). I'll look into it; in the meantime, I enabled zoom for mobile devices.
The "bad person" here is whoever decided to let websites turn off mobile zoom. My web browser on my device is mine, dammit, and it'll render websites the way I want. Web site creators have no right to control my user experience.
Having zoom enabled and changing device rotation can cause formatting issues on some devices. The mobile (smartphone) websites of TechCrunch, Yahoo, Cnet, Mashable, etc. all disable mobile zoom.
Tablets appear to be a different story though, and zoom might need to be enabled there.
Ponder this: you have a fixed layout for devices ranging from 3.5in to 10in in size. Assuming you optimized for a he 10in display, does it seem reasonable that the same layout works at 1x and 0.35x zoom level, at all DPI values?
Seems best to let users choose to not zoom if their devices are broken, than to tell devices to turn off features. It is a sad bug that my Browser respects requests from web sites to hobble itself. I would rather pan and scan then stare at tiny text.
Your site works with zoom now, thank you!
TC etc are all websites I don't read on my phone (or at all, generally).
Also, your site disabled zoom even when I requested the Desktop version. If you inherited that bug from Bootstrap, that is awful of bootstrap to do.
The lost revenue should really only come from customers who would have paid the asking price but managed to get an illegitimate deal, plus whatever support and overhead costs can be applied to the game downloads.