ESEA won’t stop crossing the line until we make it

This article is an opinion piece and does not necessarily reflect the views of the Daily Dot

Image via ESEA/Facebook

This article is an opinion piece and does not necessarily reflect the views of the Daily Dot.

I was already writing something scathing about ESEA when it happened. In a video posted to its official channel, the company used an actor with Down Syndrome to represent its competitors. ESEA’s client is portrayed by a young athletic, male doing backflips. Following the logic, the inferior product was portrayed by an inferior human, at least in ESEA’s view. How else does the joke work?

Even if you could justify those grim implications by calling it “dark humor,” it’s still hard to believe that this video ever saw the light of day. Someone at ESEA thought this was an appropriate response to yet another controversy over security issues with its client. The latest update left the company’s client on persistently, operating in the same way as a Rootkit, lurking on your PC doing whatever it wants without you having any right to know exactly what that is. That’s if you can get your PC to turn on in the first place.

ESEA has taken a leaf out of the handbook of the U.S. government: You should be willing to surrender any right to privacy from their screening system because the innocent have nothing to hide, and everyone benefits in the end. The logic reads like an esports Patriot Act. Perhaps there would be some sort of debate worth having were—if ESEA hadn’t abused these privileges previously.

On April 14, 2013 ESEA began using customer PCs to mine Bitcoins without their knowledge. This was discovered after an update started sending users’ virus scanners into overdrive. Customers complained about blue-screens and hardware overheating for reasons they couldn’t grasp. Then a user posted on ESEA’s forums revealing that the client was indeed mining bitcoins.

At the time, I wrote that “the bar for dishonesty within esports has been raised to new heights overnight.” That’s still the case. The implications were monumental. This was an act of cybercrime perpetrated not by some blackhat hacker or a script kiddie, but by a respected American esports company. The victims? The very people keeping the company afloat. There was little doubt that the company would see the inside of a courtroom after this. But it did have a slim chance to avoid that if only it could step up, take responsibility in a professional manner, and craft a satisfactory explanation (even if common sense dictated that there wasn’t one).

Enter Eric “lpkane” Thunberg, ESEA’s cofounder. His statement surrounding the incident, the company’s first, wasn’t a contrite apology. Rather, it was a bizarre and transparent lie: It was all some sort of elaborate April Fool’s prank that had got out of hand.

lol that got aggressive quickly

back towards the end of march, as btc was skyrocketing, jaguar and i were talking about how cool it would be if we could use massive amounts of gpus logged into the client to mine

we went back and forth about it, considered doing something for april fools, didn’t get it done in time, and eventually elected to put some test code in the client and try it on a few admin accounts, ours included

we ran the test for a few days on our accounts, decided it wasn’t worth the potential drama, and pulled the plug, or so we thought

fast forward to 48 hours ago, a fuck up in the client server results in a restart which results in a setting getting changed which enables it for all idle users, and here we are

and the results for 48 hours of your combined efforts?…

~2 btc, or roughly $280 usd at current exchange rates, not bad!

anyway, our bad, we just released a client update with the btc stuff removed, and your $280 is going into the s14 prize pot — if you’re still feeling sad, feel free to pm me and i’ll attempt to buy back your love

but for the record, i told jag he shouldn’t be lazy and run the miner in a separate process, rookie move

Weigh that up. In Thunberg’s mind, the appropriate reaction for planting malware on your PC, without your knowledge, for the purposes of earning his company profit, is “our bad.” Equally, he thought it endearing to say he will try to “buy back” your love. It’s the mindset of a megalomaniac: “Stopped loving me? I can just buy you back. How can you stay mad at me?”

Eventually, Thunberg’s long-suffering partner Craig “Torbull” Levine arrived to try to mop up the mess. He began by apologizing profusely, issuing a free month of ESEA premium to all users and giving the amount raised, $3,713.55, to the American Cancer Society. He also offered to pay for all damaged equipment if it could be demonstrated it was damaged as a direct result of ESEA’s software.

At the same time, Thunberg was still out there flexing his virtual muscles in the faces of the outraged. On a forum thread speculating about how many people would unsubscribe as a result of these actions, he replied “hopefully a lot.” Any chance of defusing the situation was impossible. There was nothing Levine or anyone else could do to compel Thunberg to shut up, short of an assassin’s bullet.

Needless to say, ESEA lost the court case. A New Jersey court ordered the company to pay $350,000 of a $1 million settlement up front; the remaining $650,000 would be forgiven provided the company could avoid any further repeats for 10 years. Don’t think for a moment that ESEA learned its lesson. A statement released after the court ruling implied that ESEA thought it was the victim of some misunderstanding.

“The settlement that was signed makes explicitly clear that we do not agree, nor do we admit, to any of the State of New Jersey’s allegations,” the organization said. “The press release issued by the Attorney General about our settlement represents a deep misunderstanding of the facts of the case, the nature of our business, and the technology in question.”

Though the idea appeared to be all Thunberg’s—he had made several jokes prior to the implementation that the client was indeed a bitcoin miner—ESEA didn’t hesitate in sacrificing the coder who implemented this idea. Sean “Jaguar” Hunczak, who had been an instrumental part of the company’s success, was seemingly a willing scapegoat. He was publicly labelled a “rogue employee,” even though all the evidence pointed to the contrary, and was pushed out into the cold. After this, it was just business as usual. ESEA knows it has a monopoly and has always exploited that fact. Users threatening to boycott were greeted with the news Thunberg had already cancelled their subscriptions. No one was really willing to go any further. It’s only principles, after all.

So back to the present. The update, released on May 18, was full of security pitfalls, and yet the company still implied it could be trusted. “if you’re uncomfortable with the Client always running then you should uninstall and cancel your subscription” Thunberg says. Extracts from the court papers should tell you why you should be uncomfortable.

“So if you don’t trust us, you’re an idiot. Did we mention that everyone else’s clients have the cyber equivalent of Down’s Syndrome because it isn’t used as a spying mechanic?”

That message was delivered by Thunberg, the smirking, entitled face of the nouveau riche. He isn’t like most us. The son of a wealthy Rhode Island real estate agent, his life choices were bankrolled. After graduating in 2003, at a time when most of us would be working some 9-5 wondering what our degree was actually for, he founded ESEA. Four years ago, he signed a $6.5 million mortgage on the Pallisades Mill Complex, a space for small businesses that just happened to be shared with his own mother’s business. “Both my parents were their own bosses and I just thought that is how life was,” he said in a 2011 interview. He already believes he’s too big to fail, that he is set for life, that he doesn’t need your business to be successful.

Perhaps those things are all true. But it is a theory worth putting to the test. It’s unlikely that the people he sees as mere plebs will get the job done just by cancelling subscriptions. In a time where the brand strength of esports organizations is at an all time high, perhaps it is time for them to get involved. The issue actually affects them more than others. They’re the ones who would most likely be subject to the highest levels of invasion.

During my time investigating the North American match fixing situation, several people alleged that Thunberg was more aware of the wrongdoing than he let on. In a meeting about one of the thrown matches with his friend Derek “dboorn” Boorn, he reputedly read a conversation word for word that presumably could have only come from the all-seeing client. This could have very well been a paranoid fantasy conjured by players who had already had their sense of suspicion sharpened after living a lie for so long. You can make your own minds up about that one.

And as examples go, perhaps it’s a poor one. It suggests the client could be used to hinder wrongdoing outside of cheating. Try to think instead about the other information that could be dredged up if that allegation were true. Think about how the client could be used for competitor intelligence or leveraging organizations into agreements. We already know the client can copy any file it wishes at the behest of those who control it. Why should anyone agree to give it a bigger window of opportunity within which to do it? This is a level of trust that common sense dictates you should afford nobody, let alone a company that has shown it will happily abuse it at will, for profit and amusement.

A challenge on these grounds is unlikely. When the money is flowing, no-one likes to rock the luxury yacht, especially when it’s afloat on an ocean of shit. So long as that is the reality, ESEA will continue to do as it pleases, no matter how egregious. After all, Thunberg himself knows you can always buy back the love.