First of all, thank you for pointing out the game.
Now this is going to be off-topic, but we are in off-topic forum, right?
When reading their site I was quite interested in their "anti-cheating" measures. It seems that for certain type of games, being able to have more than one account in the same world giving an edge ("unfiar advantage") to whoever has more than one account. Interestingly, this is not a problem for World of Warcraft. I have not played pardus (yet), so I have no idea what kind of advantage they are talking about. If anyone has any experience with the game,
let me know, what you can do in pardus that you can't do in WoW that spoils the game for others.
No let's consider what pradus does to stop this. First of all the have a rule one PC - one user. They say that this rule was put in place to make
automatic bans possible. Before that it took a lot of man hours to police accounts, and this simple rule resolved it for them. But the ultimate goal is this: one physical person - one account. Compare the rule and the goal, they are not the same. I'm not sure that this goal is really achievable at all, but I'll talk about this later.
Now, just let consider their rule. They do state, that their automatic ban system has nothing to do with IP addresses. (If this is true, I don't know, it might be not.) They say, that if you have to different physical PCs and your brother plays on one of them and yourself on the other, and you are both in the same household and have the same IP you have nothing to worry about. They also say, that they won't disclose the technical details about their detection techniques to avoid circumvention. But know this, the game does not require anything but browser, i.e. no flash, no java and no other plug-in. It does require cookies and javascript though (obviously).
Let's think is this possible to detect two accounts being played from the same PC, if you are not relying on IP address. The first line of defence is obviously cookies. We can set cookies with user's account number and if user logs in and the account cookie does not match, we warn them and than ban them. But this is pretty easy to circumvent, just clear all the cookies before logging in and you'll be fine. Can we protect against this by checking if user has clean cookie every time they log on? Yes and no. We certainly can
detect that, but we hardly can act on this as this is not a prove that the same computer was used for playing two different accounts. When you open the game in a different browser, you cookies will be clean. Also it's not a crime regularly ran anti-malware program that kills all unapproved cookies from your browser.
The first line of defence seems also be the last. But hang on for a sec, have you ever heard about browser fingerprinting? Look at this very interesting paper
https://panopticlick.eff.org/browser-uniqueness.pdf the rough idea is that, even if you have the same browser there can be subtle changes in the meta-data that the browser sends, depending on system configuration. We can remember that, and compare different accounts fingerprints. But than again, it's quite possible that two computers has exactly the same configuration and hence the same fingerprint so you can't use this method alone and 100% reliably.
It seems that pardus thought hard about using the game from public places, such as schools and internet café's. To be able to support this, they came up with a notion of Identified account. The goal is still present, you can't have two accounts (identified or otherwise), but the rule no longer applies. If you account is identified, then playing from a PC where someone else plays from is ok and the check is skipped. This way, if you know you'll be playing on a PC other people are playing on two, you can get your account identified and be safe from the scary ban. The poor bastard without identified account that will be playing on the same PC in the internet café as you did won't.
So how do you make an account identified? a) you simply pay. If you get a premium account, it is automatically identified. b) you send them a copy of your passport or driving license. and c) you sent them an authenticated digital certificate. (To get one of those you need to pay a Certificate Authority and the authority will also require some form of ID from you). This kind of identification (apart from the paid account) makes sure that there is a unique person (as identified by physical ID) attached to each account. The paid account does not have this guarantee, but pardus thinks that not many people will risk their money should it be detected that they own two different paid account, as these will be banned once detected too.
This all is nice and good and complicated, but the real question, does this help? This all reminds me of draconian DRMs where you have to prove you are not criminal, and you, the legitimate customer, suffer, while the pirates get away with everything.
The last point is this. The goal of ensuring that one user always have one account is unrealistic. Imagine I have two computers at home. I create two accounts, and play one account from one computer and the other from the other computer. I tell pardus that the second account is my cat's. This is absolutely impossible to detect. I can prove that I have a cat, and my cat can confirm, that she is willing to give her in-game resources because she loves me. Ok, not cat. Sister. Mother. Flatmate. You choose.
So pardus, why all this annoyance if in the end you can't do anything to reach you goal? WoW is much more logical and consistent in this respect. You pay for 5 accounts and you can use them all. You can create many characters in the same world and you can trade items between them. Soul-bound items is mechanics that helps control that. It seems it is
possible to implement the same thing less... severe.
