Thursday, January 3, 2013

AWOXing Poetic

I had a hilarious encounter last night: an AWOXer applied to my private industrial corp.  Usually, this is a simple procedure handled by swiftly denying the application (or ignoring it entirely), and moving on.  What made this application funny was that very shortly after denying his app, I was convoed about it.

I know the proper response is supposed to be a polite email about "not fitting our needs" or at least helping random public applications understand more about you and your corp.  But at this time, I have no need for new members, I have not published a single piece of recruitment literature, so ANY application is malicious.  I just found it hilarious that it wasn't enough to have a mark not fall for the scam, but to put in a second try on top of that.

This inspired me.  I've been reading and talking a lot about corp-level tools for the last week, so I thought I'd share a little wisdom for those who might want it.

AWOXing?

Named for a player, Awox, AWOXing refers to a particular scam.  For the entire backstory, get the TL;DR at Jester's Trek, Agua, or even Urban Dictionary.

The scam preys on a combat mechanic: corpmates can shoot eachother without CONCORD intervention.  ANY corpmate can shoot ANY corpmate.  The game makes no attempt to gauge malicious intent vs messing with friends.

The scam goes as such:
  1. Spread applications to as many generalist corps as possible.  Missioning and mining corps are the best targets.
  2. Get into the corp and attend an op.  Preferably with a director or lead of some sort.
  3. Bring a PVP ship to the fleet, and kill the juiciest thing in range.
  4. Log out in space to prevent being kicked from the corp.
  5. Repeat
Nothing is stopping anyone from having more patience and AWOXing the biggest, blingiest, pimpest thing they can find.  This scam is related to similar bait style scams where the scammer lures a corpmate into a trap specifically to destroy something of high value like capitals.  This scam also preys on the (terrible terrible) corp management rules.  Specifically that you must be in a station to change corps (even to NPC).

Security Done Wrong

Having run an alliance of missioning bears for longer than I care to admit, I'd like to first cover the misconceptions that these AWOXers prey on.  Also, because I adored Sophia Jackson's POS Guide, that worked backwards, we're going to start at the end and work our way back.
  

We require API verification

The only API 90% of corps check is skills.  They load the key into EVEHQ or EVEMON and see what the recruit can fly.  The "paranoid" read mails and check standings.  These steps are less than worthless when it comes to security screening applicants.  Mails, once deleted, are removed from the mail API, standings are player set... and skills tell you nothing about the pilot behind the avatar.

The APIs that are valuable, can't easily be checked with a desktop tool.  That's wallet and kill log.  Wallet provides a way to "follow the money" to alts.  Kill log gives a report of the latest kills.  Neither of these APIs can be easily defrauded by stuffing or deleting data.  Processing both gives a much better picture of who is applying to your corp.

Interviews

Seriously, "EVE online is a sandbox of sociopaths".  It is incredibly easy to put on a facade and tell your recruiters what they want to hear.  Similar to real-life resume-bot-beating by repeating the job requirements you tell them what they want to hear. If you got your parents to believe you were at a friend's house when you were actually causing trouble... then you can probably beat any normal interview.

If you're insistent on interviews being part of the process, put hurtles and time in the process.  The longer the lie has to stand and the more places the story goes, the easier it will be to pick out the flaws.  Much like police interrogate and push on answers to see if the story changes, use multiple interviews with different members and compare notes.  Also, by making the hurtles take more time than one sitting, the patience of the scammer will most likely be exhausted.  Spreading out the application process to a few days will weed out random scammers, but will do little about the targeted ones.

References

External references?  Are you kidding?  I will roll a character on another slot and write glowing reviews about myself.  I could even be in my own corp and spoof the numbers with trials.  Calling up unknown CEOs for their feedback is usually a fruitless endeavor too.

I would even be wary of internal references that don't have personal connections to applicants.  There's nothing wrong with flying with friends, but social engineering preys on our social niceties.  Just because you weren't sold doesn't mean a lower level grunt can't be.

Minimum SP requirements

This does stop the lowest level AWOXers, but it doesn't protect against bought characters.  I'll admit this is a smaller risk than the above behaviors, but it isn't actually a security procedure.  It puts up a wall that filters out the lowest SP alts, but spies and scammers are creative and can generate characters at almost any level required to do the job.  

Mandatory Titles.  24hr Revenge Period

Though this may have been a good idea pre apocrypha, it's generally not a great idea now.  It used to be you could restart the 24hr stasis timer indefinitely (and get banned for it).  That loophole has long since been closed.  Once rights are revoked, they cannot be reassigned until the member allows it again.  I don't know who would reasonably expect a scammer to log inside that escape timer and allow himself to be killed.

Real Security Measures

Avoiding AWOXers is actually quite easy.  It's the same sort of things that should be "well duh" but are overlooked because of stupid-human "gut feelings" or an over reliance on technology.

USE THE CORP HISTORY

It's public, it's impossible to fake.  If your applicant has only ever been in corps for hours at a time, repeatedly, it's a glaring red warning klaxon.  Yes, the greenest noobs won't have corp history, and some people are flaky and may have short corp histories, or people might be weird and like NPC corps.  There's no reason to take EVE too seriously and put in hard and fast previous corp rules, but if the applicant has more than one corp on their history where they were members for less than 48hrs, you might want to ask harder questions.  If you don't at least LOOK at the corp history of an applicant, you deserve to be AWOX'd.

Google is your friend

Check the forums for the applicant, check eve-kill, zkillboard, and battle-clinic.  10 minutes of searching can yield a wealth of warning signs.  Odds are that 90% of your applicants will turn up mostly blank here, but again it's a simple and fast first line of defense.

You Don't Have to Be The Nice Guy

It's your corp, your members are trusting their security to you.  Bringing a wolf into the flock will do more harm to your organization as a whole than to any individual sheep.  If someone trips your gut, tell them "no".  Personally, I've always favored a panel approach where any one director could veto an application.  This would result in a more stringent search and 9 times out of 10, and protected the corp from a bad applicant.  This also helps cultivate a better internal atmosphere, since you have the right people for the org rather than a ship of random pubbies.

Social engineering relies on the assumed social norms and taboos we all subconsciously submit to.  Trusting authority figures, not wanting to look like the odd one out, the pain of disappointing people with "no".  But if you are going to be the captain of the ship, you have to make the tough choices for the good of the whole vessel.  

Don't Let Paranoia Win

"A system is 100% secure until users are introduced"
It's easy to let paranoia win in EVE.  There are so many stories about corp thefts, inside jobs, hacking and spies.  And paranoia will quickly lead to a stagnant organization, since no business can be done without trust.  There is a need to put a little risk forward to be able to socialize and build communities.

Just remember EVE's cardinal rule: "Don't fly what you aren't willing to lose".  The same concept can be applied to corp management.  The tools are there to protect valuables while opening up access to members at the same time.  Learn about the corp tools, understand the mechanics, be aware... and you have already gone 99% of the way to being safe and having fun.