Protecting Games: A Security Handbook for Game Developers and Publishers

PROTECTING GAMES: A SECURITY HANDBOOK FOR GAME DEVELOPERS AND PUBLISHERS STEVEN B. DAVIS Charles River Media A part of...

Author: Steven (Steven Davis) Davis

142 downloads 2850 Views 2MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

PROTECTING GAMES: A SECURITY HANDBOOK FOR GAME DEVELOPERS AND PUBLISHERS STEVEN B. DAVIS

Charles River Media A part of Course Technology, Cengage Learning

Australia, Brazil, Japan, Korea, Mexico, Singapore, Spain, United Kingdom, United States

PROTECTING GAMES: A SECURITY HANDBOOK

© 2008 IT GlobalSecure, Inc.

FOR GAME DEVELOPERS AND PUBLISHERS

STEVEN B. DAVIS Publisher and General Manager, Course Technology PTR: Stacy L. Hiquet Associate Director of Marketing: Sarah Panella Manager of Editorial Services: Heather Talbot

ALL RIGHTS RESERVED. No part of this work covered by the copyright herein may be reproduced, transmitted, stored, or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the publisher.

Marketing Manager: Jordan Casey Senior Acquisitions Editor: Emi Smith Project/Copy Editor: Kezia Endsley PTR Editorial Services Coordinator: Jen Blaney Interior Layout: Shawn Morningstar Cover Designer: Mike Tanamachi

For product information and technology assistance, contact us at Cengage Learning Customer and Sales Support, 1-800-354-9706 For permission to use material from this text or product, submit all requests online at cengage.com/permissions Further permissions questions can be emailed to [email protected]

Indexer: Valerie Haynes Perry Proofreader: Ruth Saavedra The information contained in this publication is not intended to convey or constitute legal advice on any subject matter. Readers should not rely on the information presented in this publication for any purpose without seeking the legal advice on the specific facts and circumstances at issue from a licensed attorney. Readers should not consider the information presented in this publication to be an invitation for an attorney-client relationship, and providing the information in this publication is not intended to create an attorney-client relationship between you and any author or contributor to this publication. The information in this publication contains general information that is intended, but cannot be guaranteed, to be always up-to-date, complete and accurate. Any representation or warranty that might be otherwise implied is expressly disclaimed. The authors and contributors expressly disclaim all liability or responsibility in respect to actions taken or not taken based on any or all of the information contained in this publication.

Material in this book may include discussion regarding issues reported in the public media and public legal system regarding services, products, and other material that may be subject to laws granting copyright protection. These issues are discussed for illustrative purposes only and the facts presented are limited to that purpose. Those wishing to seek further information about any illustrative point discussed are encouraged to engage further research. All trademarks are the property of their respective owners. Library of Congress Control Number: 2008932480 ISBN-13: 978-1-58450-670-6 ISBN-10: 1-58450-670-9 eISBN-10: 1-58450-687-3 Course Technology, a part of Cengage Learning 20 Channel Center Street Boston, MA 02210 USA Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at: international.cengage.com/region Cengage Learning products are represented in Canada by Nelson Education, Ltd.

Printed in the United States of America 1 2 3 4 5 6 7 12 11 10 09

For your lifelong learning solutions, visit courseptr.com Visit our corporate website at cengage.com

For my parents, sisters, family, friends, teachers, and colleagues. Thank you for your patience.

Acknowledgments

irst, I would like to thank Emi Smith, Kezia Endsley, and the team at Cengage Learning for taking the chance to publish a book on game security.

F

Thank you to my readers at PlayNoEvil.com who, through their interest and engagement, have sustained me through the past several years. Thank you to Cheryl Campbell, my great friend and business partner for over 10 years at IT GlobalSecure and also my tireless editor. A special thank you to Joseph Price and Marcus Eikenberry, for their contributions to this book. Thank you to Adam Martin, Pierre Laliberte, Alexandre Major, Marc-André Hamelin, and the other industry professionals who provided invaluable editorial input to the book. Thank you to Richard Davis and Eleanor Lewis for their editorial help. Thank you to my teachers, mentors, friends, and colleagues at the National Security Agency (especially my coworkers in R56, V6, and C7) who instilled in me a passion for the security field and an appreciation for how security “fits” in to the rest of the world. Specifically, Mark U., Brian S., Tim W., Bill M., Cecil S., Sid G., Tanina G., Bill U., Nancy G., Jim A., Ed G., Ed D., Robert W., Bob D., and many others. Finally, thank you to the game industry and gaming industry professionals who have welcomed a strange “security guy” into their midst. Although many people have contributed, the final responsibility for the form, style, content, and everything else related to this work is ultimately mine.

iv

About the Author

Steven Davis has over 22 years of IT and IT security expertise and has focused on the security issues of the gaming industry for more than a decade. He advises game companies, governments, and regulators around the world. Mr. Davis has written numerous papers and speaks at conferences on all aspects of game security. He is the author of the game security and industry blog, PlayNoEvil (http://www. playnoevil.com/). Mr. Davis has international patents on game security and IT security techniques, most notably the anti-cheating protocols that underlie the SecurePlay (http://www.secureplay.com) anti-cheating library. He has designed several games, including DiceHoldem (http://www.diceholdem.com), and acts as a design consultant. He is the CEO of IT GlobalSecure (http://www.itglobalsecure.com), which develops game security products and provides game security, IT security, and game design and evaluation services. Mr. Davis’ experience includes security leadership positions at the U.S. National Security Agency (NSA), CSC, Bell Atlantic (now Verizon), and SAIC. He has extensive cryptographic and key management design experience, including work on Nuclear Command and Control systems, the Electronic Key Management System, and numerous other commercial and government projects. Mr. Davis has a BA in Mathematics from UC Berkeley and a Masters Degree in Security Policy Studies from George Washington University.

v

About the Contributors

Joseph Price is an Associate in the Antitrust and Telecommunications practice groups at Kelley Drye & Warren LLP, with a track record of successfully representing companies in strategic mergers and acquisitions, and is especially adept at working with companies to structure transactions and achieve business goals with competition and antitrust issues. With a particular expertise on counseling companies in regulated industries, Mr. Price has helped clients protect interests threatened by consolidation in the communications industry. He has obtained FTC and DOJ Antitrust Division clearance on numerous transactions, and provides Hart-Scott-Rodino Premerger Notification counseling, preparation, and filing on behalf of many clients, including technologyrelated entities, equity funds, investment funds, and targets of investments. Mr. Price represents clients in public and nonpublic DOJ and FTC investigations and has served as counsel in public and nonpublic FBI, FCC, and State Attorneys General investigations and enforcement matters, including formal and informal administrative complaint proceedings. Mr. Price also provides a full range of legal services for clients that provide technology and broadband services. He works to assist clients achieve business goals, whether they involve access to cutting-edge technologies, growth of market share, product development, or expansion of distribution channels. Mr. Price speaks and writes frequently on antitrust, technology, media, telecommunications, and network security subjects, including the Communications Assistance for Law Enforcement Act (CALEA). His analyses have been quoted in a variety of publications, including Wired, BoardWatch, and Light Reading. Previously, Mr. Price served as a law clerk to Judge Edwin H. Stern of the New Jersey Appellate Division. While earning his J.D. at Catholic University, he served as Editor-in-Chief of the law journal, CommLaw Conspectus: Journal of Communications Law and Policy, and received an advanced certificate from the Communications Law Institute. vi

About the Contributors

vii

Marcus Eikenberry is a serial entrepreneur. He makes his living dealing in intangible goods and services within online video games. His companies sell huge volumes of game registration codes and game time codes as well as providing anti-fraud solutions for other sellers within these online gaming markets. Back in 1990 when the Internet was just for universities and the government, Mr. Eikenberry was doing computer hardware sales to the public. Fraud was very rare and not something that needed much attention. In 1993 when Mosaic hit the public, he attempted to start doing business on the web. In 1994, he published computer hardware sales sheets and started doing mail order sales. Because he didn’t like dealing with physical products, he looked for other products to sell that did not require shipping. In December of 1997, he found the perfect item to sell: intangible goods within online video games. Marcus is a pioneer of sales of these intangible video game items and services. Today, Mr. Eikenberry owns Markee Dragon Inc., which includes several companies, including: TrustWho (www.TrustWho.com)—Anti-fraud services providing transaction processing and payment verification for companies experiencing high fraud rates. Markee Dragon (www.MarkeeDragon.com)—The largest site in the world for the buying, selling, and trading of online game accounts. It is estimated that over 2.5 million dollars worth of accounts and services trade hands in this site’s forums monthly without any charges to the members. Shattered Crystal (www.ShatteredCrystal.com)—Where new game codes, upgrades, and game time have been sold to several hundred thousand satisfied customers since 2002.

Contents

Introduction

xv

The Protection Game

1

1

Game Security Overview What Is Game Security? References

2 3 5

2

Thinking Game Protection Independence Lazy, Cheap, or Stupid Threats, Vulnerabilities, and Risk Beyond Protect, Detect, React Asymmetric Warfare Process, Testing, Tools, and Techniques Second Grader Security References

Part I

Part II

viii

6 7 8 12 13 15 17 19 20

Piracy and Used Games

21

3

Overview of Piracy and Used Games

22

4

The State of Piracy and Anti-Piracy Determining the Scope of Piracy Trusted Brand Security: Nintendo and ADV Anti-Piracy Innovators: Nine Inch Nails and Disney Going Forward References

23 24 28 29 30 31

5

Distribution Piracy Preventing Duplication Detecting Duplication Collectables, Feelies, and Other Stuff Disk as Key License Keys

32 32 33 34 34 35

Contents

ix

Splitting and Key Storage Busted Pirate: Now What? References

39 42 43

6

DRM, Licensing, Policies, and Region Coding The Basics of DRM Why DRM Doesn’t Work Types of DRM Systems License Policy References

44 44 45 46 51 54

7

Console Piracy, Used Games, and Pricing Attacking Consoles The Used Games Market Pricing Pirates Out of Business References Server Piracy Trends

55 55 60 62 65 66

8

Server Piracy Authenticating the Server References

66 70 74

9

Other Strategies, Tactics, and Thoughts Measuring Piracy Fighting Pirate Networks Multi-Player Gaming Rich Interaction System Digital Affiliate System Playing with Secure Digital Distribution References

75 75 76 79 79 84 87 91

10

Anti-Piracy Bill of Rights Basic Fair Use Principles Registration Options Installation Options Connection Options References

92 93 94 95 95 96

11

The Piracy Tipping Point Determining the Goal of Anti-Piracy Policies References

97 97 99

x

Contents

Part III

Cheating

101

12

Overview of Cheating

102

13

Cheating 101 Cheating and the Game Industry Fair Play Cheat Codes The CARRDS Reference Model The Remote Data Problem Security, Trust, and Server Architectures Random Events Player Collusion Business Models and Security Problems References

103 103 105 106 110 111 121 125 127 129 131

14

App Attacks: State, Data, Asset, and Code Vulnerabilities and Countermeasures Memory Editors, Radar, and ESP Data Obfuscators Code Hacks and DLL Injection Blind Security Functions, Code Obfuscators, and Anti-Tamper Software Design Save Game Attacks, Wallhacks, and Bobbleheads Secure Loader and Blind Authentication References

132 132 134 137 139 141 142 145

15

Bots and Player Aids Is It “Help” or Is It Cheating? CAPTCHAs: Distinguishing Players from Programs Cheat Detection Systems References

146 146 149 150 154

16

Network Attacks: Timing Attacks, Standbying, Bridging, and Race Conditions ACID, Dupes, and SQL Attacks Defensive Proxies Hacker Proxies Thinking About Network Time: Act, But Verify Securing Time References

155 155 157 158 163 165 165

Contents

xi

17

Game Design and Security 166 Design Exploits 166 Collusion 167 Trivia Games 167 Word, Number, and Puzzle Games 169 Algorithmic Games, Physics Flaws, and Predictable Behavior 170 Speed, Twitch, Timing, and Pixel Precision 173 Strong and Dominant Strategies and Deep Game Play 175 Power of People: Rock-Paper-Scissors, Poker, and the World of Psychology 175 Game Play Patterns: Combat Devolved 176 Designing for the Medium 179 References 179

18

Case Study: High-Score Security Cheating in High-Score Games Encryption, Digital Signatures, and Hash Functions Client-Server Option Randomly Seeded Client Alternative High-Score Strategies Puzzles, Skill-Based Games, and Other Deterministic Games Inappropriate Player Handles Summary References

181 181 182 184 184 185 186 187 187 187

Part IV

Social Subversion: From Griefing to Gold Farming and Beyond with Game Service Attacks

189

19

Overview of Social Subversion

190

20

Competition, Tournaments, and Ranking Systems (and Their Abuse) 192 Understanding Tournaments and Ranking Systems 192 Lobby Attacks 195 Syndicates and Bots 197 Tournament and Ladder Game Play Attacks 197 Abandonment: The “Game Over” Game 199 Game Operator Problems 201 Identity Problems 202 Countermeasures 204 Retrofitting Games for Tournaments and Skill Games 206 Summary 206 Resources 207

xii

Contents

21

Griefing and Spam Communications Griefing and Spam Game Play Griefing User-Created Content Liability and Business Risk References

209 210 215 217 218 221

22

Game Commerce: Virtual Items, Real Money Transactions, Gold Farming, Escorting, and Power-Leveling Amusement Park Economics Alternative Models On Virtual Items Gold Farming Gold Frauders, Online Thieves, and Insiders Potential Solutions Power-Leveling Escort Services, Subletting, and Virtual Prostitution Summary References

223 226 227 228 230 236 238 239 240 240 241

To Ban or Not To Ban? Punishing Wayward Players Crime, Credibility, and Punishment The Cost of Punishment: Who’s Being Punished? Possible Punishments and Credible Deterrence Summary References

243 243 244 245 248 249

The Real World

251

24

Welcome to the Real World

252

25

Insider Issues: Code Theft, Data Disclosure, and Fraud Code Theft and Other Data Disclosures Office IT Infrastructure Insider Fraud Playing Your Own Game Privileging and Isolation References

254 255 258 259 260 262 265

26

Partner Problems Contracting Security? Security Accountability in Third-Party Development Security Accountability in Third-Party Licensing Service Provider and Partner Security Issues

266 266 267 268 270

23

Part V

Contents

Community and Fan Sites References

xiii 273 274

27

Money: Real Transactions, Real Risks Payment Processing Inside the Payment Process: PayPal Anti-Fraud Integration for Automation Payment Fraud References

275 276 280 282 286 287 287

28

More Money: Security, Technical, and Legal Issues PCI-DSS and Security Account Security, Virtual Items, and Real Money Money Laundering and Illegal Payments Money Laundering: Legal Issues References

288 289 289 290 291 293

29

Identity, Anonymity, and Privacy The State of Identity and Anonymity The Registration Problem and Identity Management Systems Age Verification Usage Controls and Game Addiction Account Compromise, Identity Theft, and Privacy Legal Requirements for Privacy Protection References

294 295 296 302 304 306 308 310

30

Protecting Kids from Pedophiles, Stalkers, Cyberbullies, and Marketeers Dealing with Cyberbullies, Pedophiles, and Stalkers Kids’ Communications, Parental Controls, and Monitoring COPPA Children and Identity Child Pornography References

313 315 316 319 320 321 322

Dancing with Gambling: Skill Games, Contests, Promotions, and Gambling Again What Is Gambling and What Is Not Accidental Casinos Skill Games Miscellaneous Security Issues Legal Considerations References

324 325 326 327 328 329 333

31

xiv

Contents

32

Denial of Service, Disasters, Reliability, Availability, and Architecture What Can Go Wrong, Will Go Wrong Denial of Service Scalability and Availability Sample Game Operations Architecture Disasters and Disaster Recovery Contingency Planning References

335 335 336 339 340 342 342 343

33

Scams and Law Enforcement Scams in Games Game Scams Law Enforcement Facilities Requirements: Potential Unexpected Laws and Regulations References

344 345 347 348 349 350

34

Operations, Incidents, and Incident Response Secure Operations Active Measures Incidents and Incident Response Public Relations and the Perception of Security References

351 352 354 354 356 358

35

Terrorists Virtual Terrorism Online Tools for the Modern Terrorist References

359 359 360 363

36

Practical Protection “We Have Met the Enemy and He Is Us” The Business of Game Protection In Closing References

364 364 367 370 370

A

Selected Game Security Incidents

371

B

Glossary

379

Index

385

Introduction

his book is intended to infect its readers with an interest and concern for game protection. My goal is not to preach to the ”security converted,” but to convince game designers, developers, programmers, managers, marketeers, and artists that they should care about the security of their games and give them confidence that there are ways to secure their games.

T

Asian hackers hack for money, not glory. They do not share their hacks, but sell them and do not seem to be as sophisticated as those in the US and elsewhere who target services in the US. —Whon Namkoong, CEO, NHN USA, Casual Game Conference 2007 Designers ask, “How can I make my game fun?” Executives ask, “How will this game make money?” Both questions have a security component: How can someone undermine my game’s play? How could someone play and not pay? What could undermine the success and potential of this game? Game protection is about answering these questions. Ignoring them can ruin the game and cost its creators their business. Ideally, this book will also be useful for IT security and game security professionals. There is a lot of game security information scattered about on the Internet and in various press releases and magazine articles. This book brings this information together in one place. When I started discussing game security, a number of industry professionals told me that the game industry needed its “Pearl Harbor” to bring security to the fore. Although there hasn’t been a single, spectacular and devastating attack, there is an ongoing guerrilla war that distracts the industry from its primary goal—to build great games. As a longtime security professional, I have found game security problems quite fascinating.

xv

xvi

Introduction

Even on a bad day, traditional IT security for business is relatively straightforward. There are only a limited number of things that can happen—money changes hands, maybe with a third party involved via escrow; assets move through a workflow process; and decisions need approval. Very rarely does IT security get deeply entwined into the unique aspects of a business. Not so with computer games. Even a simple card game has more complicated interactions than many business processes—information is concealed and shared, cards must be dealt fairly, wagers made and resolved—and most games are much, much more complicated. Customers are often the adversaries: exploiting game mechanics, stealing game assets, and hacking high scores and achievements. Games can have a wide range of rules, systems, and transactions limited solely by the imagination of the game developers, the skills of its programmers, and the strategies of its executives. Today, games face longstanding challenges from piracy and cheating with the new additions of protecting children and privacy. The list goes on and on and on. Plus, you still have all of the traditional IT concerns, including money, authentication, encryption, and so forth. Protecting games is fascinating, fun …and a whole lot of work.

K NOW Y OUR F OE The game industry is in a tremendous cycle of innovation with new games and game business models emerging. Participation is expanding beyond the industry’s traditional audience of teenage boys into a market that includes everyone from kids to mom, dad, and even seniors. The bad guys are following right along. I began my security career at the National Security Agency working, mostly, on Nuclear Command and Control systems. Our adversary was the USSR—a highly motivated, skilled, well-funded, committed foe who would do whatever necessary to defeat us. Instead of the KGB’s staff and budget, game hackers and cheaters tap a global pool of talent who will happily attack a game for free with their only reward being pride at being the one who breaks the latest title: a serious foe to be taken seriously. Even worse, criminals have learned that games are a lucrative target. A stolen World of Warcraft account is worth more than $10, whereas a stolen credit card number can be had for as little as $1.50. The game industry groups estimate that piracy costs billions of dollars a year.

Introduction

xvii

Viruses, worms, and phishing scams aren’t just being created for fun. IT security threats are now a major criminal problem. Hackers don’t write viruses just to infect as many computers as possible, they write highly targeted worms that sniff game account passwords or loot online poker accounts.

S TRUCTURE

AND

C ONTENT

Most security books are structured around technologies or solutions: encryption, firewalls, digital signatures, and so on. Because the subject of this book is protecting games, I have organized it around the topics that game developers care about including—piracy, cheating, tournament hacking, gold farming, protecting children, and protecting identity. Many attacks on games and security methods use common underlying techniques and so there is some redundancy of exposition. For example, memory editors are useful for piracy and cheating, whereas challenge/response protocols are useful to protect high scores and remotely authenticate software. Interestingly, traditional security techniques such as encryption and digital signatures are much less effective for protecting games because most of our attention is focused on insider attackers who have access to the platform and software and therefore can often access cryptographic keys or circumvent digital signature functions. Cryptography still has an important part to play in protecting games. However, because this is text is targeted at general readers, I do not spend much time explaining the details of the cryptographic protocols I discuss. There are plenty of books on these topics for interested readers. I try to draw example games from the entirety of the industry—everything from gambling and skill games to advergames, casual games, subscription MMOs, free-to-play games, and first person shooters. Occasionally, I will cite examples from traditional (and not so traditional) board and card games, as it is often easier to understand the actual game mechanisms when there are no fancy graphics or animations. There are numerous specific security incidents cited throughout the book, drawn from fairly credible press or public sources. The actual facts of the incidents are often unknown, as game companies, like most other businesses, are not in a hurry to share the details of their security problems. Often I am guessing as to what the underlying problem is and what a plausible solution could be, based on my experience. When I have been given official knowledge of game security problems, I am almost always constrained by a non-disclosure agreement. The specific security incidents discussed are not an indictment of any individual, developer, or publisher, and certainly not an endorsement of any hacker.

xviii

Introduction

In most cases, there is no way to verify that the descriptions or problems are completely accurate. Rather, the incidents should be considered examples of the types of problems that games and game developers face. Many of the countermeasures that I discuss are non-technical. I am a big believer in trying to find easy ways to avoid problems rather than always solving problems with a technical fix. If possible, I try to include multiple solutions since your game and your environment may be far different than my examples. If nothing else, I want to show that protecting games is not purely, or even primarily, a technical problem. I do include some pseudo-code. It isn’t C or Java or Python, but simply an efficient way to describe various algorithms, protocols, and processes.

A TTACK T OOLS

AND

T ECHNIQUES

I discuss attack tools and techniques throughout the book. If possible, I try to keep the discussion at a generic level and not give sufficient information to implement a specific attack on any specific game or product. I do mention several widely known tools for hacking games. This is not an endorsement of these products, confirmation of their functionality, or a recommendation of any kind. Anyone who considers using such attack tools should do so with great caution. Criminals delight in including key-loggers, spyware, adware, and an abundance of other malicious code with installation packages for hacking tools. Even compiling these tools from source code can be risky—are you really going to examine every line of code and every included library?

O NWARD This book is the product of over seven years of tracking and analysis of game security issues, the last three of them covered in my blog, PlayNoEvil (http://www. playnoevil.com/). My hope is that I convey some of the excitement that I feel when a new game problem comes along... and, even better, my satisfaction when I see or create a solution. The game industry is in the midst of an amazing transformation and I believe that protecting games will be critical to the success of that transformation. Steven B. Davis

October, 2008

Part

I

The Protection Game

In this part, you’ll find the following topics: Chapter 1, “Game Security Overview” Chapter 2, “Thinking Game Protection”

1

1

Game Security Overview

hy should we worry about game security? Who should worry about game security? What exactly is game security? How much should we worry about game security?

W

Welcome to the “security game.”

Everybody plays the security game. You play whether you want to or not. You are playing the security game when you build or operate a game: Your customers want to play for free, always win, say what they want, and do what they want to whomever they want. And the Internet only makes this worse. Your players can come from any country. Misrepresent their identity. Upload and download your games (paid for or not) to an audience of millions or billions. However, you want to make money (usually), players want other players to play fairly (whether or not they do so themselves), treat them well, and protect their children. And, of course, there is one kind of help you usually don’t want: the government. Game violence, addiction, privacy, obscenity, pedophiles, gambling, marketing, terrorists, hackers, criminals—all sorts of issues can get you on the government’s radar. Finally, you have traditional IT and ecommerce security issues including data theft and information disclosure, disaster recovery, and, when things do go wrong (and they will), incident response. I’ve been told security is the game publisher’s problem; I’ve been told it is “a technical problem;” and I’ve even been told that it is no problem at all or to wait for the game industry’s “Pearl Harbor.”

2

Chapter 1 Game Security Overview

3

W HAT I S G AME S ECURITY ? Game security is two things: First, it is the dark side of your game. It includes all the problems that you don’t want to think about, but that could ruin your business and your game. Second, and more hopefully, good game security may open up new ways of operating your game or implementing your business that would not be possible otherwise. WHEN SHOULD YOU CARE ABOUT GAME SECURITY? This is simple. If game security does not save you money, enhance your reputation, or make you money, don’t waste your time on it. Security should be held to the same standard as anything else you are doing. A nice thing about security in the game industry (and elsewhere) is that it is often quite cheap to address at the beginning of a project. Security can be horribly expensive or just unsolvable late in the development process or after the game is running. Security and quality go hand in hand. In fact, many security defects are really quality defects. WHO SHOULD WORRY ABOUT GAME SECURITY? Everyone. You will be able to avoid or solve most of your security problems just by being aware of them and considering the possibility of things going wrong while you work. Security is not the responsibility of the security guy (or gal). Security staff is there to focus on security just as testers focus on testing, designers focus on design, and marketers focus on marketing. Hopefully, they bring domain expertise to the subject, but, at the end of the day, everything needs to be balanced (the business model, the game design, the art, the budget, testing, and security). In general, good data on security incidents is pretty scarce. People don’t like to admit their problems unless they have to. Without California’s Data Disclosure1 law, it is unlikely that any of us in the US would hear about the numerous compromises of our personal data. Security problems can lead to real changes in consumer behavior. According to a survey by Unisys of 8,000 individuals, 45 percent stated that they would change financial institutions because of security problems 2. The game industry faces unique challenges in this regard because players see security problems that affect both themselves and others. Security problems with most businesses are only visible to the individuals involved. Even in a publicly traded company, security problems are buried in overhead expenses. Game security problems are noticed by everyone. Even single-player games are social. Players share results and achievements. Once you move to multi-player games, even something as simple as a shared high score list creates intense attention to perceived cheating. Thanks to the Internet,

4

Protecting Games: A Security Handbook for Game Developers and Publishers

problems with games get broadly distributed very quickly and can cause irreparable harm to the game business. Traditional criminals do their work in the dark. Attacking games can be a true ego trip spurring game hackers even without any financial reward: Attackers have the attention of thousands or millions of fellow players. Of all the articles that I’ve written on my blog, PlayNoEvil (http://www. playnoevil.com/), the long-term, number one page view is an article I wrote about cheating at Flash games written in early 2007 (currently, the leading contender is an article on hacking children’s games). Many of the comments I receive are requests for help cheating in the various games I discuss! Consumers care about security. In 2005, a survey of 150,000 Chinese online game players found that “no game hacking and cheating” was the Number 2 issue for choosing a game to play (at 11.02 percent), just behind graphics and audio content. It also found that “game cheating and hacking destroyed game” was the Number 1 reason for leaving a game (18.5 percent) with “game security” itself at Number 9 (5.85 percent)3. In the US, Intel did a small survey of 226 gamers focused on cheating and found that 71% were either extremely concerned (23 percent) or somewhat concerned (48 percent) 4. Cheating problems are of such concern to game companies that they regularly delete related discussions from their online forums. Popular concern with game addiction has led to actions to restrict the number of hours consumers can play in China and elsewhere 5. Although consumers care more about cheating and excessive game play, piracy is the number one concern for many traditional computer game companies. The Entertainment Software Association (ESA) estimates that piracy costs the U.S. game industry $3 billion per year 6. Another disturbing fact is that games, particularly online games, are increasingly the targets of criminals. In June 2008, Fortinet found that 13 percent of Asian malware (malicious programs such as worms and viruses) targeted games 7. The growth of online gaming has made game account theft lucrative. Criminals use key-loggers (programs that extract keystrokes from a computer and send them to a remote location) to steal players’ usernames and passwords to empty player game accounts and sell the contents to others. The global nature of the game industry makes legal remedies virtually futile. Blizzard, the operator of the hugely popular online game World of Warcraft, has gone so far as to start selling a low-cost authentication token8—a technology previously reserved for serious consumer applications like bank and stock trading accounts as well as within corporations and governments. The problem is getting worse. Hackers are following the money and there is easy money in attacking games. In the early days of the online gambling industry, hackers attacked an online casino running software from Cryptologic Inc. The company quickly shut the servers down, but during those short couple of hours, everyone playing craps and video slots won every game, costing the company $1.9 million 9.

Chapter 1 Game Security Overview

5

Gaming is no longer a niche; it is a major form of global entertainment. Everyone is getting in on the act. Ordinary companies are incorporating games and contests into their marketing campaigns. Deloitte Touche Tohmatsu found in a 2008 survey of Dutch advergame sites that over 90 percent of the games are vulnerable and over 50 percent are, in fact, attacked 10. Companies are tying cash and prizes to these games, making them targets and turning what could be a marketing bonanza into a public relations nightmare. THE GAME SECURITY CHALLENGE The challenge of game security is that you, the game creator, have to play by the rules. You can’t break laws; you have limited time and a perpetually squeezed budget; and you have to keep your customers safe—all while providing an entertaining experience. Your foes are constrained only by your efforts. They know no boundaries, and may attack you simply because they can. Let’s see if we can win.

R EFERENCES 1. California (2002), “SB 1386,” http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_ bill_20020926_chaptered.html 2. W. Eazel (2005), “Majority of World Worried about Internet Fraud,” via http://playnoevil.com/ serendipity/index.php?/archives/144-Bad-Security-Makes-Consumers-Change-Online-Behavior-GoodDemographics-Metrics.html (original link http://www.scmagazine.com/us/news/article/530336/?n=us) 3. PlayNoEvil (2006), “Game Security Major Issue for Online Gamers in China,” http://playnoevil.com/serendipity/index.php?/archives/719-Game-Security-Major-Issue-for-OnlineGamers-in-China.html 4. Intel (2006), “Intel Fair Online Gaming Study” 5. China Daily (2007), “China Clamps Down on Teenage Internet Gaming,” http://www.chinadaily.com.cn/china/2007-07/17/content_5438062.htm 6. ESA (2007), “Video Game Industry Applauds Game Pirate’s Sentence,” http://www.theesa.com/ newsroom/release_archives_detail.asp?releaseID=20 7. Fortinet (2008), “The State of Malware: June 2008 Edition,” http://www.fortiguardcenter.com/reports/ roundup_jun_2008.html 8. Blizzard (2008), “Blizzard Authenticator Offers Enhanced Security for World of Warcraft Accounts,” http://eu.blizzard.com/en/press/080626-ba.html 9. B. Warner (2001), “Hacker’s Heaven: Online Gambling,” http://www.cbsnews.com/stories/2001/09/10/ tech/main310567.shtml 10. Deloitte (2008), “Advergames op Grote Schaal Gehackt,” http://www.deloitte.com/dtt/press_release/ 0,1014,sid%253D13354%2526cid%253D202819,00.html (English language version at http://playnoevil.com/serendipity/index.php?/archives/2107-SeriousAdvergame-Hacking-Problems-Deloitte-Touche-Tohmatsu-Netherlands-Survey-Findings.html)

2

Thinking Game Protection

y first impulse when I began this project was to use the word “security” in the title. After all, we usually talk about IT security: When I started in the field in the mid-1980s at U.S. National Security Agency (NSA), I worked in communications security (COMSEC) and computer security (COMPUSEC) and later information security (INFOSEC). There was also Operations Security (OPSEC), transmission security (TRANSEC), and a whole bunch of other SECs.

M

The problem with the word “security” is that it is a bit of a lie. You can never be completely secure (and every security person will tell you this). Security is an ideal, like truth, beauty, and art. This linguistic trap was articulated in one of the few really good books in the field that I have found: Information Protection and Other Unnatural Acts by Harry Demaio1, sadly, long out of print. Protection captures our endeavor much more accurately than security. We are in the business of protecting games, because we know that we can’t fully secure them. We face the same problem everyone else does—protection fails, sometimes with spectacular consequences. When we think about protection, we are already thinking in economic terms—“how much protection is enough?”—rather than in absolutes. There is power in imperfection. My goal in this section and throughout this book is to change how you think, not about game security problems, but about game protection and how to achieve it. This section does not address the specific issues of piracy, cheating, or any of the other numerous challenges that drive game developers to distraction. Rather, it gives you a framework you can use to think about protecting your games in the face of these threats, or at least how to protect your games “well enough.” Game developers and publishers often seem a bit fatalistic about security. There seems to be a tendency to give up and simply accept the problems. Or, conversely, developers and publishers seek some magic bullet—a single product that will solve their problems with one purchase; preferably bought at the end of the development process from someone else’s budget.

6

Chapter 2 Thinking Game Protection

7

This violates my first security principle: Security Principle 1: Anything that is easy to add is easy to remove. Many anti-piracy solutions such as digital rights management (DRM), which is discussed in Chapter 6, repeatedly demonstrate this problem. The notion of “layers” is used when discussing security, but the term is widely misunderstood. It is common to talk about a “security layer” or about “security services.” Tools like encryption, key management, firewalls, and intrusion detection are put into nice little architectural blocks to be called on when needed and are called security layers or services. Nothing could be further from the truth. Properly speaking, one should talk about “layered security.” When we are in the world of protection, we understand that all our security tools are far from perfect. The art and engineering of well-protected systems comes from combining multiple, interlocking security techniques into a powerful whole. Rather than building a security chain that is only as strong as its weakest link, you need to create a security mesh of independent elements that is much stronger than any individual links and will continue to operate even if a single tool fails. Effective protection requires weaving security throughout your application or business. Some of your protection tools may not even be security techniques, but simply carefully chosen parts of your business or technical strategy.

I NDEPENDENCE In 1990, Clifford Stoll wrote perhaps the first true computer security caper story The Cuckoo’s Egg 2. It was even made into a NOVA special. Dr. Stoll was an astronomer who, unable to get a job doing astronomy, worked at Lawrence Berkeley National Lab as a system administrator. His boss asked him to investigate a $0.75 discrepancy between an old, custom computer accounting system and the standard UNIX one. This investigation led to an international spy ring, the FBI, CIA, and all sorts of other entertaining things. It’s a great book or video. The most important lesson of the story seems never to have been learned and is my second security principle: Security Principle 2: Effective security comes from weaving together independent systems.

8

Protecting Games: A Security Handbook for Game Developers and Publishers

The only reason that this case came to light was because someone noticed the accounting discrepancy between the old accounting system and the standard one. The hackers knew enough about the standard UNIX operating system to attack the accounting system and hide their tracks. They did not know about the strange old Berkeley accounting system. If they had, they would likely have beaten it, as it was running on the same computer. To show how bad the problem is, many computer security references use the term “audit trails” routinely. The term “audit trail” clearly implies all sorts of wonderful independence and security. Unfortunately, these tools are not audit trails at all, only accounting records. There is only one system involved that is generating the report, not two independent ones. When I talk about independence, I am really talking about statistical independence: Entities are independent of each other if events or actions related to one do not affect the other3. The challenge, of course, is how to build independence into your system—without breaking the bank. Independence is discussed much more extensively in the field of safety engineering by those who are building reliable and highly available systems than it is as a security principle. Passenger jets have multiple engines so that the plane will be able to fly when one (and sometimes more than one) engine fails. The Space Shuttle has five flight computers that vote to avoid undetected failures. We can actually achieve the goals of independence in multiple ways. As described, we can have multiple entities that independently generate identical results (we hope). We can also have systems that generate multiple results that are independent of each other—a log of game wins, losses, and wagers compared to a financial log of deposits, transfers, and payments. One of the areas where games have an advantage over other entertainment media is that they are naturally highly transactional. While I may buy and watch a movie, for many games I can post high scores, play with other people, and otherwise repeatedly interact. These numerous interactions can be used together to prevent and detect piracy, discourage griefing, and deter cheating.

L AZY , C HEAP ,

OR

S TUPID

I’ve long enjoyed the engineering truism “good, fast, or cheap; choose two.” In other words, if you want something good and fast, it won’t be cheap and if you want something fast and cheap, it won’t be good. I think the security field needed something similar, so here’s my stab at it: Lazy, cheap, or stupid: Any one will get you. … or some such.

Chapter 2 Thinking Game Protection

YOU CAN’T COUNT ON TRUST “Trust” gets waved around a lot in the world of IT security (and, recently, in discussions about fighting piracy). When I started out in the security field, a big focus was on trusted operating systems and since then we’ve moved on to trusted platform modules. The whole idea of these products is that by building a whole lot of “security” (whatever that means), we can “trust” the “trusted” thingy and be secure. The goal is noble, but rather naïve. First of all, there is no objective definition of security. The security requirements for another business can be very different from yours even when you both are using the exact same applications and platforms. The game industry is not the same as the military; which is not the same as a dating service or an online auction service. Second, most real security problems occur at the application and business operations levels, completely independent of the underlying platform. Spell checkers may be able to determine whether a word is spelled correctly, but they can’t tell if you’ve chosen the wrong word (a problem that I’ve found often while editing this book). If you have incorrectly defined or configured your ordering process, an unauthorized individual may be able to furnish his house at your expense. A trusted platform will do nothing to solve malicious use of a legitimate application. Third, the interaction of arbitrary applications on top of a trusted platform can no longer be considered trustworthy. As I noted, when my career began in the 1980s, trusted operating systems were all the rage. What we found was that once we started adding applications to these platforms, our security analysts were able to undermine the system by attacking the applications directly. Currently, the focus is on hardening standard operating systems—basically getting rid of the gratuitous “stuff’” that can cause some of the worst problems. This includes removing unnecessary applications such as editors and compilers as well as unneeded network services, analysis tools, and many of the other products that are provided as part of a standard operating system distribution. Fourth, what if the trusted platform fails? It happens. Even if you wanted to, could you risk your business on the promises of a third party? Once upon a time I worked on a government project with a very clever anti-tamper piece of hardware. Our security team had to plan for the scenario where we would lose one of these devices (which we had spent a lot of money making tamper-resistant). Our final assessment was that we had to operate the system as if we had no tamper protection. That, if we ever lost control of one of our anti-tamper boxes, we still had to assume it had been compromised and implement our procedures to recover our security status—even if it was returned “intact.” Trust is not enough. All of this is not to say that using trusted systems is not good practice. However, it’s best to use these products as tools and part of an overall security system plan, not as the hard kernel of security.

9

10

Protecting Games: A Security Handbook for Game Developers and Publishers

To an outsider, security often looks like black magic. The field is full of magic words: rootkits, worms, viruses, hackers, penetration tests, amazing sagas, embarrassing failures, and spectacular capers. Scratch the surface, however, and you’ll find that almost all security problems arise from one or more basic human failings: laziness, being cheap, or stupidity. These are security’s three deadly sins, so let’s look at each in more detail. Laziness

There is depth and even some real complexity as you learn the art of security, but the reason many security experts can appear to work miracles and divine problems after taking only a cursory look at an organization, system, or project comes from knowing the following: Security is not a primary concern of most people. When you don’t care about something, you tend to take shortcuts and cut corners. People are wonderfully consistent, especially in how they cut corners. Of course, things aren’t quite this simple. You need to have a good deal of knowledge of development practices, programming, system design, project management, business planning, and “human nature” to pull off these “miraculous” insights. Once someone describes a situation for me, the first thing I think about is “what would be the easiest way to build this system?” and, because the easiest way to build something is rarely the right way, “what is the easiest way to exploit the poorly built system?”. Habits are wonderful for predicting future disasters. In the game industry, the biggest cheating problems come from the fact that most developers start by programming a single-player game and then add multi-player features. Even though everyone knows and complains about piracy, they don’t actually seem to start planning a strategy against it until the game is about to launch. The game industry is not alone. I’ve been brought in on classified government projects after years of development and many millions of dollars spent, where security only came up because someone noticed that the system needed to be accredited as secure before it was allowed to operate. Being Cheap

Security is never given a decent budget. It is a legitimate problem for planners. Security rarely shows up as a positive revenue line item. It is always portrayed as a cost with nebulous benefits at best. Interestingly, one of the things I like best about the game industry is that its security problems are so closely tied to its core business.

Chapter 2 Thinking Game Protection

11

In many other industries, it is very hard to argue whether one firewall is better than another or if one should invest in an intrusion detection system or not. This is not true for the games industry. Piracy costs sales. As a security analyst, I can make estimates of those costs and the benefits of my proposed anti-piracy strategy and present a reasonable business case to management and ask for a budget. Cheating has not been seen to be a major problem for traditional, single-player games that are sold shrink-wrapped at a retailer. However, as we move towards multi-player and online games and the industry transforms from a product-sales business to a service business, cheating becomes much more important. Cheating and game integrity has always been critically important for skill games, contests, and the gambling side of the industry. Similarly, payment processing, identity, protecting children, and the other topics that I will discuss are not theoretical problems. They can cost your business money or, even worse, give you the opportunity to deal with irate customers or governments. Stupidity (Ignorance Is Bliss, for a While)

Developers in every industry are rightfully proud of their accomplishments and eager to hurry their products to market. After a long slog of development and hopefully some testing, most developers are rather confident about their product’s ability to work well. In physics, Work equals Force times Distance. If you don’t go anywhere, you haven’t done any Work. The remorseless calculus of security doesn’t care how hard you worked or who you are. Hackers just care about what you have actually done. When I made my first security presentation to the game industry in 2001, developers shared horror stories of players hacking Flash games just to get high scores on their individual sites. Eight years later, players are still hacking Flash games to get high scores to win prizes and lots of cash… and causing some large companies serious grief in the process. Gold farming isn’t a new problem and people have been creating bots since the early text MUDs. However, pretty much every modern MMO has continued to be plagued by these attacks. Now, instead of a couple of guys running a game on a university server, gold farmers are earning millions, if not billions of dollars, and chewing up entire customer support teams. Major game publishers are spending untold dollars suing bot builder companies knowing full well that another will spring up, probably in a jurisdiction beyond the effective reach of their lawyers. All of the security issues discussed in this book are fairly well known to professionals in the industry as well as interested consumers and even more interested hackers and criminals. The best way to avoid security problems is to simply acknowledge them at the start of a project and address them early in the development process. Or, at the very least, ignore them consciously. It is simply stupid to do otherwise.

12

Protecting Games: A Security Handbook for Game Developers and Publishers

The good news is that solving many of your security problems may be as simple as adding “remember security” to your project’s PowerPoint templates.

T HREATS , V ULNERABILITIES ,

AND

R ISK

The game industry knows who its attackers are: Pirates steal games, cheaters win unfairly, griefers and gold farmers are just a pain for everyone. The IT security literature talks a lot about vulnerabilities, threats, and risks. The language of the industry and its processes in this regard are a bit confusing. The real question is: What, if anything, can a security analyst tell you that will cause you to change how you operate or spend money to fix something? While people may talk, and talk about security requirements, in practice, these requirements are undermined when there is money and effort required. This is frustrating for security analysts, as they spend a lot of time hunting for vulnerabilities, writing them up, and presenting them to management only to be told “we’ll accept the risk.” The problem is, management might not be right about accepting the risk, but the basis of their decision seems to have little to do with the described vulnerability, but rather with rhetoric. Risk is the nemesis of protection. Risk is where people get into the most trouble. It is basically a qualitative assessment of how likely someone will do something (bad) and the probability that he or she will succeed. Risk also captures the consequences, usually in financial terms, of an incident. On paper, this doesn’t sound like a bad concept at all. The problem is with its use. Risk assessments, vulnerability assessments, and threat assessments seem to all boil down to a long questionnaire and Excel spreadsheet that reduces risk to a number. Often commercial products will generate some “risk score” number, which is then used to determine whether you are secure enough. There are three important problems with this approach. First, the weighting schemes that are used to compare one attack or vulnerability to another are often hidden and reflect the biases of the tool maker (or consultant) rather than the priorities of the client. Second, some risks are not commeasurable, or rather they shouldn’t be: It makes little or no sense to combine security issues related to identity theft with those for denial of service. Third, the tools rarely seem to support business decisions. Instead of giving a final numeric score, these tools would be

Chapter 2 Thinking Game Protection

13

more useful for determining relative residual risk between programmatic choices: Should you choose Option A with Budget B, which yields Risk Profile C or choose Option D with Budget E, which yields Risk Profile F? Making assumptions about your adversary is quite dangerous. People tend to “mirror image” their foes. They assume that the enemy has the same propensity for risk and values as they do. The game industry is particularly vulnerable to this problem: Game pirates put a radically different value on games than a publisher does. In practice, they face little to no risk for the actual act of breaking a game’s security and they seem to have the time and patience to effectively defeat many security systems. Gold farming is, allegedly, a billion dollar industry employing tens of thousands of individuals worldwide. Aggressively exploiting an MMO’s economy is big business. For the game operator, controlling gold farming is often a low priority. It falls somewhere between customer support and bug hunting. The operator’s main priority is to keep the servers running and the players playing and paying.

B EYOND P ROTECT , D ETECT , R EACT Protect, detect, react. It has become something of a mantra in the traditional IT security community. First, you protect your information from attack. If they successfully attack you, you detect the attack and react appropriately. This iron triangle of IT security probably arose out of a military perspective: Attack, defend, and counterattack. Protect, detect, react is simple, wonderful, and far from complete, even in a military context. There are at least seven additional basic security strategies: Recover—Reconstitute the system to a secure state (or secure as possible). Interestingly, this strategy is critical for military systems as well. For example, if an encryption key is compromised, you create and distribute a new key and remove the old one. If security equipment is lost, it is simply locked out of the network. It is important to note that this does not reestablish the security of any data that has already been compromised. In a military setting, the compromised data may no longer have any value. The message “Go to War” is not a secret for all that long. Unfortunately for game developers, if a digital rights management (DRM) system does not restore the security of the lost game, it restores the security for future games.

14

Protecting Games: A Security Handbook for Game Developers and Publishers

Avoid—There are some fights that are not worth fighting, battles not worth winning, and problems that are “too hard.” For games, often we can change the game’s business model and design as well as its code as a way to thwart attackers. Online games that use the “free-to-play” business model where everything is purchased from the game operator are essentially immune to gold farming. Botting, the use of automated programs that play on a player’s behalf, is a hard problem, in many cases. Game developers might consider changing the game design to make botting impractical or change the game rules to make the benefits of botting negligible. An Indian game operator used this tactic for an MMO that he had licensed that was known to have problems with bots4. The game operator added direct item and currency sales to the subscription game, thereby reducing the benefits of botting. Ignore—Some problems are just not that bad. It is certainly fair to choose to ignore them, especially if the cost of addressing the problem is high. Many traditional computer game developers often ignore cheating problems with their multi-player games, as the entire multi-player feature is often considered just another option added to the core, single-player experience. Delegate—Sometimes you can transfer a problem onto someone else. If you are able to do this, why not let someone else deal with the problem? The delegation strategy can be particularly useful to transfer liability. There are certain third-party companies that are legally authorized to accept liability for protecting children’s identity information and limiting marketing under COPPA. This may be a more effective, and less expensive, option than complying with COPPA internally. I would argue that many in the entertainment industry are trying to delegate their piracy problem to the government. Department of Justice lawyers and FBI and Customs agents are almost free for the industry; they cost just a bit of lobbying. Insure—If you can’t eliminate a problem, why not buy insurance? It works for car accidents, after all. Unfortunately, this option is rarely available for IT security or game security problems today. It is probably the great unmet security opportunity. Watch for companies who offer security services to see if they also offer liability protection. Many work like your home security system; their insurance basically consists of a refund on your security system equipment purchase (at best) or a refund of a month’s fees. In the IT security area I have seen identity theft insurance that falls in this category. Reward—Why focus on “sticks” when you can offer “carrots” to those who might otherwise harm your product or business? The key, of course, is that the reward has to appear significant to your customers while being very costeffective to provide. The “good driver discount” for auto insurance and airlines’ frequent flier programs are familiar examples.

Chapter 2 Thinking Game Protection

15

Deter—The threat of punishment works as long as the possibility of being caught is high and the punishment is substantial. Law enforcement, peacetime armies, and nuclear war all rely on deterrence. Compelling good behavior is often much more expensive than relying on deterrence. Also, systems that attempt to compel goodness often are less effective at detecting their own failures. There is a bit more that can be added to the original mantra: Protect—As noted while discussing “Recover,” you actually need to know what you are protecting. I have seen many people confuse using encryption with “security” and hash functions with “integrity.” Game developers have relied on a browser’s encryption function to protect high scores from manipulation. Unfortunately, high-score cheaters are the actual people playing the game and thus have access to the score before it is encrypted. Similarly, several major commercial games have used hash functions to “sign” data, not realizing that the data hash can simply be replaced with one for the hacker’s preferred game configuration. Detect—Detecting problems can be tricky. Game piracy without network connections is essentially impossible to quantify, as there is no direct feedback. If the number of validated, registered licenses is less than the royalties for a game developer, it could be an interesting question whether the game has a piracy problem or an issue with the publisher withholding royalties. React—Ban, ban, ban. Banning pretty much seems the only strategy used to punish gaming wrongdoers, whether they are pirates or cheaters or whatever. For a game company, banning is pretty extreme and tends to deprive the company of revenue, so it is a fair question as to whether banning always makes good business sense. A complete security system is built by creatively combining these strategies to form a coherent whole. For all of the game industry’s complaining about piracy, particularly on the PC platform, there doesn’t seem to be much thought put into managing piracy during the game development and publication process.

A SYMMETRIC W ARFARE Security is about managing uncertainty. You never know for sure when and where you are going to be attacked, but you are pretty sure that it is going to happen sometime. Also, security is a support function to your real goal of providing a great game and running a successful business. It is not the end, but a means. Good protection has got to be lean.

16

Protecting Games: A Security Handbook for Game Developers and Publishers

Protection is a battle between you and your foe. Both of you have time and resources to allocate to the fight. The only advantage you have as the defender is you get to set some of the rules and choose the battlefield. As noted previously, one the biggest problems that you face is asymmetric values. Your foe may be far more interested in attacking your game than you are in defending it. Also, you are obliged to defend the entire game and succeed everywhere, while your adversary only has to find one hole in your armor and you are lost. Sadly, a clear example of this asymmetry is the state of airport security in the US since 9/11. We are spending billions of dollars to try to defend every airplane against all potential hijackers. And, as numerous incidents have shown, there are always weaknesses in the system. A terrorist individual or group has to find only one vulnerability that he or she can successfully exploit to cause serious trouble. Or, these attackers can attack somewhere else where we are not defending at all. Fortunately, games are much more constrained systems than national defense. However, they do both face highly motivated adversaries. Game developers and publishers have much more control than Homeland Security does over the systems that hackers want to attack. Security Principle 3: Make your adversary work a lot harder than you. Defensive methods should be chosen for their low cost and coverage of a wide range of threats. For game cheating, the most common strategy is to include some sort of “cheat detection” tool with the game. The major anti-cheating products in the industry are Blizzard’s Warden, Valve’s VAC, Even Balance’s PunkBuster, nProtect’s GameGuard, and AhnLab’s HackShield. They are all signature-based systems, similar to anti-virus products that use signatures of the individual versions of malicious software to detect attacks. The cost of this system is that it must be constantly updated5 to keep up with the latest cheats and, just as the security industry has found with viruses, hackers are very good at attacking anti-virus tools directly as well as hiding themselves from the anti-virus tools and altering their malicious software’s signatures6. While the work of creating and distributing an individual signature is not significant, there is a fair amount of effort to find hacks, understand them, and build a reasonably stable signature. It is worth noting that this strategy for detecting hacks depends on cheats being widely used. If there are only a couple of cheaters using a specific technique, the security surveillance system will be unlikely to detect the attack. This is becoming increasingly true for traditional malware, which is now targeted at specific companies or individuals as opposed to the world as a whole 7.

Chapter 2 Thinking Game Protection

17

In MMOs, professional gold farmers are motivated to develop and use internal or limited distribution tools instead of mass-market products. This is also true for the online casino industry: If you have a real, effective cheat that makes you a lot of money, you are not going to sell it to anyone. Once cheating or hacking is a business and not just vandalism, there is no reason to broadcast attacks. One of the real reasons that encryption is such a popular security tool is that it is cheap and easy to implement—whether it is effective or not is a different matter. The most effective security strategy, for games (and anyone else), is to change the system so that there is nothing that can be exploited. You are probably lost if you are constantly hunting for hackers.

P ROCESS , T ESTING , T OOLS ,

AND

T ECHNIQUES

Although “thinking right” about security up front will get you a long way, there are useful tools and tactics to complete the job. Penetration testing gets a lot of visibility as a key security strategy. Penetration testers attempt to break in to a system from the outside, just like an attacker. When they succeed, it is impressive and compelling (if a bit late in the development process). There are three weaknesses to penetration testing: Many of the “revealed” security weaknesses are generic operating system and common application vulnerabilities. This is not to minimize their impact, but there are cheaper and easier ways to find these problems earlier in the development process. Penetration testing is often very time-constrained. As such, penetration testers do not have time to become familiar with the target and so go for the easy, generic attacks. The most damaging flaws are often in the target’s unique business application (or, in this case, game) environment. Finally, you cannot test either security or quality into a system. They need to be built in from the beginning. My preferred security analysis and testing strategy is to run in parallel to development: from concept through implementation and deployment. This has substantial advantages. Design errors can be addressed when they are still just PowerPoint slides and Word documents. Because the security analysis team has full access to the design and code, it is much better able to focus on proactively finding real problems at the source before they get out of control and expensive to correct. Again, security resources are very scarce compared to those of the attackers.

18

Protecting Games: A Security Handbook for Game Developers and Publishers

Although a hacker may need to reverse-engineer your system to attack it, he may also be a former team member or have “dumpster dived” to collect your documentation or even downloaded the source code from your server. There is no benefit to forcing your security team to emulate this phase of the attack. If your only defense is that the hacker does not know your system design, you are dependent on “security by obscurity” as your sole security barrier—and you are in deep trouble. Good security testing tools should be a standard part of the toolbox of every developer and system and network administrator. Similarly, there are numerous software quality and security testing tools that can help avoid memory leaks and other common coding errors. One of the real challenges for security in games and other applications is that you need to build protection in during the development process, but its benefits do not appear until the product or service is operational. This causes a number of annoying, but real, problems. The biggest problem is that most organizations separate their development and operations budgets. Features like protection against attack that are hard to measure during development are easy to drop: They have no consequence until the development team has been paid and moved on to another project. Another issue is that many security failures are largely silent. When your house is robbed or car is stolen, you tend to notice it rather quickly. Code theft, identity theft, and unsecured servers may never be noticed. It is important to build “security instrumentation” into your system to help make both known and potential threats visible. It may be possible at an early stage to at least detect problems that you may not be willing or able to prevent at that time. This will give your live team and operations staff the tools they need to identify and fix the problem later. There has been a rise in active measures to fight hackers, pirates, and cheaters— both within the game industry and outside it. Services like MediaDefender, which actively seeds peer-to-peer networks to disrupt and locate music pirates, can sometimes create more problems than they are worth. The StarForce anti-piracy saga8 and the Sony BMG Rootkit case have become cautionary examples and created objections to almost any form of anti-piracy technology. Even Blizzard’s Warden anti-cheating tool has raised privacy concerns (see Chapter 34). Some of these methods can be quite effective. However, if you are going to implement them, you should consider possible consequences. Some of these tools can cause problems directly, as when MediaDefender targeted a legitimate P2P distribution service9, and some can cause indirect problems. For example, Sony BMG’s Rootkit was used to attack World of Warcraft. The decision to use these active strategies should be made at a senior level. After all, at some point, you may have to defend your active measures strategy to the public in The Washington Post.

Chapter 2 Thinking Game Protection

19

S ECOND G RADER S ECURITY Many people confuse complexity with security. One of the disdainful comments regularly used by those in the security field is “security by obscurity”: the notion that if you make something sufficiently complicated, surely it will be too difficult for an adversary to unravel. This is rarely the case. Usually, the result is that the system is so complicated that it cannot be maintained: Your own team does not understand the system and there are often obscure parts of the design that make it more vulnerable to attack. Or, even more likely, your maintenance staff will come along and “clean up” the design so that they can support it—and completely undermine your “obscurity” efforts. Probably the most important design principle that I learned at NSA was to focus on clean, clear design. Good system engineering and good security engineering go hand-in-hand. Ugly, complicated designs are rarely secure. Any security weaknesses in a well-architected system will stand out like a sore thumb, and usually be reasonably easy to fix. This leads to my next security principle: Security Principle 4: If it’s not simple, it’s not secure. Or, if you can’t explain it to your manager (or a second grader) on one PowerPoint slide, it probably isn’t secure. There are computer scientists and mathematicians who look for ways to “prove” security. They use complicated symbolic languages and systems to create security theorems and then prove them. Fascinating stuff. These techniques are great for PhD candidates and academics, but, I’m fairly confident, totally irrelevant in the real world. Why do I doubt this? Let me briefly don my tattered, ancient mathematical credentials… If you’ve heard of Gödel’s Theorem, made familiar outside of the circles of academia by Douglas Hofstadter’s widely owned but rarely completely read Gödel, Escher, Bach: an Eternal Golden Braid 10, you may recall that Gödel proved the Incompleteness Theorem11. This important work of mathematical logic states that, in short, for any sufficiently complicated system, you can neither prove nor disprove every theorem about it. Gödel also proved undecidability (whether you can decide if something is true or not), and Alan Turing disproved computability. The bottom line of these three theorems is that anything that is even slightly complicated cannot be completely understood and therefore, you cannot really know that it is secure.

20

Protecting Games: A Security Handbook for Game Developers and Publishers

In practical terms this means that the only way to make something really secure is to make it “trivially secure”: The hard part of good security design is to make the system simple. This ends my lofty discussions about security and protection; let’s get to work on protecting your games.

R EFERENCES 1. H. Demaio (1992), Information Protection and Other Unnatural Acts: Every Manager’s Guide to Keeping Vital Computer Data Safe and Sound, Amacom Books, ISBN 0-81445-044-X 2. Cliff Stoll (1990), The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, PocketBooks, ISBN 0-7434-1146-3 3. Wikipedia, “Statistical Independence,” http://en.wikipedia.org/wiki/Statistical_independence 4. D. Sengupta (2007), “It’s Virtual World Out There, All for Hard Moolah,” http://infotech.indiatimes.com/ Its_virtual_world_out_there_all_for_hard_moolah/articleshow/1388388.cms 5. A. Modine (2007), “World of Warcraft Spykit Gets Encrypted,” http://www.theregister.co.uk/2007/11/15/world_of_warcraft_warden_encryption/ 6. R. Lemos (2005), “World of Warcraft Hackers Using Sony BMG Rootkit,” http://www.securityfocus.com/ brief/34 7. S. Gaudin (2005), “Targeted Virus Attacks Replace Sweeping Assaults,” http://www.esecurityplanet.com/ trends/article.php/3554046 8. A. Varney (2006), “StarForce Must Die,” http://www.escapistmagazine.com/articles/view/issues/issue_72/414-StarForce-Must-Die 9. R. Paul (2008), “Revision3 CEO: Blackout Caused by MediaDefender Attack,” http://arstechnica.com/news.ars/post/20080529-revision3-ceo-blackout-caused-by-mediadefenderattack.html 10. D. Hofstadter (1999), Gödel, Escher, Bach: an Eternal Golden Braid, Basic Books, ISBN 978-046502-656-2 11. Wikipedia (2008), “Gödel’s Incompleteness Theorems,” http://en.wikipedia.org/wiki/Incompleteness_theorem

Part

II

Piracy and Used Games

In this part, you’ll find the following topics: Chapter 3, “Overview of Piracy and Used Games” Chapter 4, “The State of Piracy and Anti-Piracy” Chapter 5, “Distribution Piracy” Chapter 6, “DRM, Licensing, Policies, and Region Coding” Chapter 7, “Console Piracy, Used Games, and Pricing” Chapter 8, “Server Piracy” Chapter 9, “Other Strategies, Tactics, and Thoughts” Chapter 10, “Anti-Piracy Bill of Rights” Chapter 11, “The Piracy Tipping Point”

21

3

Overview of Piracy and Used Games

roadband communications and the Internet have transformed piracy from a garage sale nuisance and shady street vendors selling games from the back of a van into a pervasive problem. Virtually any digital media is only a quick Google search and click away online. Of course, the real questions for any business are how much money is this costing and what can one do about it?

B

Piracy is theft. Some may quibble about “software piracy” being copyright infringement; however, the bottom line is that when people don’t pay for a commercial good or service, they are stealing (at least from the seller’s perspective). Open source advocates claim “software wants to be free.” Software does not want to be free. Freeloaders want free software. But, it is also worth looking at other industries where sales revenue is lost. Not just to unauthorized copies, but also to used goods where creators do not earn revenue from the secondary sales. Movies, books, and music have always had some market for used products, but the growth of console games has created a massive used game retail market (PC games are rarely sold used). In the next several chapters, I discuss the various aspects of the piracy problem and used games—the traditional techniques that have been used to fight piracy, and some alternative strategies. Additionally, I address legitimate consumer concerns about anti-piracy measures.

22

4

The State of Piracy and Anti-Piracy

he first questions that should be asked about piracy are “how bad is it?” and “whom does it affect?” There are two completely different ways to measure piracy. The first is based on the estimated number of pirated copies of a game or other work and what those items would cost at retail. This seems to be the preferred model used by the U.S. Business Software Alliance (BSA) and Entertainment Software Association (ESA). These numbers are quite suspect on a number of counts. The second approach is to measure how many actual sales are lost. After all, many people will use something if it is available for free, but have no interest in buying the item.

T

The nature of digital piracy makes it quite difficult to estimate the size of the problem. Downloading files and duplicating disks do not leave easy trails for forensic investigators. An article about casual game piracy claimed a piracy rate of around 92 percent based on attempted connections to the company’s server 1. At least this number came from an actual measurement. A report by China’s government, whose citizens are often a target of anti-piracy rhetoric, noted that based on BSA’s estimates, one quarter of the country’s Gross Domestic Product (GDP) would, or rather should, have been spent on software in 20052. The BSA is not alone in having difficulty with numbers. The Royal Canadian Mounted Police seemingly made up its estimate of 10 to 30 billion Canadian dollars in piracy—a number that apparently went from a bullet on a PowerPoint slide into national policy 3. Australia has moved to challenge a report by copyright holders on the damage from piracy, stating that the numbers needed to be substantiated, especially as they were being used to justify increasingly harsh civil and criminal penalties4.

23

24

Protecting Games: A Security Handbook for Game Developers and Publishers

D ETERMINING

THE

S COPE

OF

P IRACY

Even if we do accept these high piracy rates, the real question for business is how many of those customers would actually have purchased the item. After all, the marginal cost of producing digital items for the publisher is very low, so the sunk material and production costs are often not a major issue. Typically, therefore, there is no real cost to the publisher from these pirates. This is not always the case, as SiN Episode 1, a downloaded game that was distributed via Valve’s Steam service, found when they were overwhelmed with customer support requests by irate “customers” who hadn’t actually purchased the game5! Companies that operate a free online game play service, like Blizzard’s Battle.Net or ArenaNet’s Guild Wars, need to be especially concerned about piracy, because the way they subsidize the online service is through product sales. Several years ago, it was not unusual for Blizzard to announce bans of hundreds of thousands of CD keys, many of them because the game copies were pirated6. Specifically, the players were using counterfeit keys to register the games with the Battle.Net service. One of the powerful advantages of a service like Battle.Net is that it provides information on numbers of pirates (or, at least, unauthorized registration attempts) as well as numbers of legitimate players. It also provides an incentive for players to convert from an illegal copy to a legal one so that they can participate in the online service. Finally, the service provides a means to compare actual sales (and royalties) with numbers of registered players to estimate the success of counterfeit CD key piracy. It might even be able to measure how many pirates purchase legitimate copies once caught. In general, there are few good methods to determine how many pirate game users would actually buy a game. However, the stereotype of gamers (and game pirates) as young and poor is no longer true. Game demographics have shifted to older players who are generally less likely to pirate games. This would seem to imply that sales lost from pirates isn’t significant—older players are likely to buy legitimate copies and younger players would never purchase the game at all. Brad Wardell of Stardock has been quoted7 as saying that game developers need to focus on the actual population of paying customers: “When you make a game for a target market, you have to look at how many people will actually buy your game combined with how much it will cost to make a game for that target market. What good is a large number of users if they’re not going to buy your game? And what good is a market where the minimal commitment to make a game for it is $10 million if the target audience isn’t likely to pay for the game?”

Chapter 4 The State of Piracy and Anti-Piracy

25

“If the target demographic for your game is full of pirates who won’t buy your game, then why support them? That’s one of the things I have a hard time understanding. It’s irrelevant how many people will play your game (if you’re in the business of selling games that is). It’s only relevant how many people are likely to buy your game.” The computer game industry has adopted four major strategies to address piracy: Console-based games Digital rights management/license management Online gaming Prosecutions The dominant anti-piracy strategy by the computer game industry has been to focus game development towards game consoles. (As a side note, the film industry’s move towards Blu-ray from DVD would seem to be an attempt to follow suit.) The general argument has been that control over game hardware will prevent piracy. In fact, the move to consoles has not really stopped piracy and, potentially even worse, it has essentially created the used game market. Used games are a totally legal way for customers to buy games. They provide no revenues to the publisher or developer and may even cost sales of new games by giving wavering customers a chance to “wait a bit” and buy a game for less. (There are some counterarguments, however. The fact that consumers know that they can resell a game means that they may purchase a $50 game knowing that they can sell it for $10 or $20, meaning the effective cost is $30 or $40.) Console piracy is rampant in Asia with modified consoles often publicly sold for a modest $50 premium above a legitimate console8. Nintendo’s very popular DS handheld console has been facing increasing problems from the R4 cartridge9. These console hacks allow players to download games for free or purchase them on the black market for only a couple of dollars. The game industry has not abandoned PC games, but they have stepped up their use of increasingly draconian licensing tools. One product, StarForce, became so unpopular due to its modification of drivers, that popular pressure forced publishers to abandon the tool10. In the music industry, Sony BMG earned the ire of music fans and lawsuits with its secret, automatic installation of a rootkit program when certain music CDs were played on computers11. More recently, several publishers have substantially loosened installation and registration requirements for their games after widespread objections in game blogs and online communities 12.

26

Protecting Games: A Security Handbook for Game Developers and Publishers

Simple economics and widespread piracy of traditional computer games and other software drove game developers in Korea and China to focus on online games. Particularly in Korea, the government’s focus on developing a world-leading telecommunications infrastructure opened the door for sophisticated games played on a server rather than sold at retail. Games operating as a service are inherently more difficult to pirate. Stealing a copy of the player client software is not enough; a pirate server must be set up, operated, and maintained. This makes the pirate server operation much more vulnerable to being detected, located, and shut down by law enforcement. It is worth noting that any break-even analysis should probably be done when the game is “green lighted” and the developer makes an initial estimation of expected sales. The question should perhaps be asked—if this game had an additional $2 million to spend, how could it best increase sales to compensate for the estimated “anti-piracy” expenses? Other security options may make sense and should be considered. After all, the only additional revenues are going to come from additional sales. The Entertainment Software Association, the trade group for most U.S. computer game publishers, claimed that piracy cost the industry $3 billion in sales a year13. They have worked to strengthen penalties and pushed law enforcement to actively pursue individuals and organizations involved in software piracy. When I reviewed ESA’s announcements related to piracy in October, 2006, I found that in the previous 12 months, the ESA and U.S. and Canadian governments had imposed total fines of $36 million and pursued four major cases. This is just over one percent of their own estimates of the pirate market14. Since there has been no claimed reduction in piracy, there should be a question as to whether these prosecutions deter would-be pirates at all.

HOW MUCH IS ANTI-PIRACY WORTH? Piracy is a real problem. It potentially costs the game industry billions of dollars worldwide each year. We can’t wish piracy away, so it seems our only alternative is some sort of anti-piracy product. Just as with our analysis of piracy, we need to consider how much anti-piracy is worth. Should we ignore piracy or fight it? For example, let’s assume that we are developing a traditional PC game. We choose an anti-piracy software provider that has an upfront licensing fee of $100,000 and a royalty of 4 percent per copy sold (of the game’s retail price). Then our actual upfront costs are: Total Upfront Anti-Piracy Costs = $100,000 + Integration Costs

Chapter 4 The State of Piracy and Anti-Piracy

27

Vendors everywhere assert their products have no integration cost. Sometimes, this is true, but usually, there is a cost for integrating any piece of software. At the very least, you need to test it to make sure that the new software doesn’t break your old software. In our example, we’ll say these costs are zero, just as the vendor promised. Let’s assume the game sells for the fairly standard price of $50 and our revenue per copy is $20 (after packaging, marketing, revenues for the retailer, and so on). Then, our net revenue is: Net Revenue = $20 (profit) – $50(.04) ($2 anti-piracy royalty) = $18 However, we may lose some sales because of the anti-piracy tool we use and also incur some additional customer service costs to handle complaints and such. Once again we’ll make a simple assumption that this costs us 2 percent of sales. With a game that sells a respectable 1 million copies, without anti-piracy we’d see: No Anti-Piracy Revenues = $1 million x $20 = $20 Million With Anti-Piracy, our revenues are: Net Anti-Piracy Revenues = $1 million x (98 percent customer base) x $18 – $100,000 = $17,540,000 It is obvious that I am giving no credit for additional sales for the anti-piracy solution. So, how many more sales do we need to earn to break even and recover the costs of our anti-piracy product? The additional profit we need to make up, just to break even is $2,460,000. Increased Anti-Piracy Sales = $2,460,000/$18 = 136,667 additional units Or, around a 14 percent increase in sales is required to compensate for the costs of the anti-piracy product. Suppose, instead, the anti-piracy product had no up-front fee and didn’t cost any sales, incur any customer support issues, or otherwise make life difficult (for the customers or us as the game’s publisher). Our break-even additional revenue number would be $2 million and 111,111 additional sales, just to cover those royalties. The upfront licensing cost has negligible impact on the price; the key driver is royalties. This is simply a break-even analysis. There is inherent risk adding any software or expense to a product. In order to rate the anti-piracy product a success, any publisher should include a margin of error for expected additional sales of perhaps 200,000 or 20 percent.

28

Protecting Games: A Security Handbook for Game Developers and Publishers

Peer-to-peer piracy is an even harder problem, because there is really no criminal enterprise to target. There are just individuals looking for a free game or song or movie. The main business advantage of using prosecutions as an anti-piracy strategy is that private companies can push the costs onto governments (and taxpayers). However, this works only if piracy is actually reduced.

T RUSTED B RAND S ECURITY : N INTENDO

AND

ADV

There is one kind of piracy protection you can’t buy: the trust of your customers. For many years, Nintendo has cultivated a close relationship with its customers. Game players in Japan, the US, and Europe have invested years and years of affection for characters like Mario and are quite fond of their Game Boy and NES consoles. Nintendo works to have a great relationship with its customers. For example, there have been a number of recent anecdotes in which players had problems with their Wii game consoles, contacted Nintendo, and a replacement was rapidly shipped at no cost and with no questions asked. The power of Nintendo’s brand is such that for many years instead of a piracy problem, Nintendo had to deal with counterfeiting. Criminals would create pirated copies of Nintendo game cartridges and try to pass them off as legitimate ones for sale. Nintendo’s piracy resources were focused on education: to protect consumers by educating them on how to identify counterfeit games. The recent, explosive popularity of both the Nintendo DS handheld and Wii game consoles has created a new problem for Nintendo. As the company has expanded from its long-term, long-established customers in the core markets of Japan, the US, and Europe, Nintendo is beginning to face typical piracy problems. These new customers do not have any real loyalty to the Nintendo brand and are much more willing to use tools such as the R4 Data Cartridge (see Chapter 7). This product allows players to download games from the Internet and use them for free instead of purchasing legitimate game cartridges. In 2008, Nintendo is probably the most aggressive and public opponent of piracy of all the console manufacturers and has gone from tolerating tools like R4 to actively fighting them15. Nintendo is not the only company in the entertainment industry to build this kind of brand loyalty. ADV Films, an importer and publisher of Japanese anime (animated films) in the US, has also built strong ties with its customers. ADV has faced the difficult challenge of dealing with the cost of localization (translation into English) of the large number of anime films and TV series. The company cannot afford to translate every anime film or show. Instead it supports independent localization by passionate anime fans through its online community, even when ADV has rights to the product. However, once ADV Films does create the official

Chapter 4 The State of Piracy and Anti-Piracy

29

translation of a product, the community voluntarily abandons the unauthorized copies. U.S. anime fans know that they need to support ADV to ensure access to great products and work to protect the company16. The U.S. anime fan community and ADV have recognized that they need each other.

A NTI -P IRACY I NNOVATORS : N INE I NCH N AILS

AND

D ISNEY

There have been several attempts to fight media piracy by using voluntary payments and hoping for volume sales. Stephen King launched The Plant as a serialized book in 2000. Although he initially met his financial objective of 75 percent payers vs. downloaders (paying $1 for each part), the numbers dropped off. After six parts were released, the project seems to have been abandoned with the last release in December of 2000 (starting with the fourth installment, there was a price increase to $2, the payer rate dropped to 46 percent, and there were substantially fewer downloads)17. The band Radiohead released a low-bandwidth, MP3 version of their album “In Rainbows” for free in October 2007 with the downloader having the opportunity to “pay what they want,” only to abandon the strategy by April of 200818. One band, Nine Inch Nails, seems to have found a way around the problem with a strategy that could be duplicated by any game, music, or movie publisher. Nine Inch Nails basically created a wide range of versions of their products priced for different portions of their audience for their album “Ghosts I-IV.” Nine Inch Nails gave away “Ghosts I” for free, had a $5 download version of the entire album, a $10 double CD set, a $75 deluxe edition, and a $300 Ultra Deluxe Limited Edition set19. This last version was limited to 2,500 copies and sold out in three days— earning the band $750,000 and, even after paying for all of the “goodies” (which probably cost $10 to $20 to produce), no doubt yielded a substantial profit. China is notorious for having severe problems with piracy and counterfeit goods. However, the billions of potential customers are irresistible to companies around the world—including Disney. In 2006, Disney launched a promotion where they offered customers who bought Disney products the opportunity to enter to win a number of prizes ranging from a DVD to a trip to Hong Kong. All the customers had to do to enter the contest was mail the official Disney holographic seal that was included on every official Disney product20. This is a brilliant anti-piracy tactic. Customers are turned from pirate accomplices to detectives. First, they are going to check to see that items are legitimate and, second, any good fake holographs will get sent in to Disney to be used to help hunt down counterfeiters and the stores that carry their products. Entertainment companies could easily use variations on this strategy to battle pirates, counterfeiters, and even used games.

30

Protecting Games: A Security Handbook for Game Developers and Publishers

G OING F ORWARD Based on industry rhetoric, piracy is certainly a serious concern for the traditional console and PC game industry. There are real questions about whether game companies seriously consider piracy during their business and product planning process. I have talked to a number of security companies with various anti-piracy solutions and they typically get a courteous hearing from publishers, but no real business, not even a pilot project. If asked for advice, I recommend that anti-piracy companies look at other markets. Using your brand to fight piracy is an amazingly powerful tactic and can be quite effective. Iconic companies like Apple can charge a premium price for their products in the market and maintain almost fanatical loyalty among their customers. This does require a long-term, strategic investment in building superior products and powerful, supporting marketing. A brand-building tool that can also support anti-piracy is a compelling online service, a topic that I will be revisiting later. Promotions and premium versions are powerful and underused anti-piracy tools in the game industry. Even better, they are funded out of the marketing budget, not the (typically paltry) security budget. Selling concept art and model sculptures, giving away vacations and game libraries, and creating “frequent player cards” are all standard marketing techniques that can also have wonderful collateral antipiracy benefits if used carefully.

Chapter 4 The State of Piracy and Anti-Piracy

31

R EFERENCES 1. R. Carrol (2008), “Casual Games and Piracy: The Truth,” http://www.gamasutra.com/php-bin/news_index.php?story=17350 2. W. Xing (2008), “Piracy Debate,” http://www.chinadaily.com.cn/bw/2008-06/09/content_6746151.htm 3. S. Davis (2007), “Piracy—Fact, Fiction, and Future,” http://www.playnoevil.com/serendipity/index.php?/archives/1674-Piracy-Fact,-Fiction,-and-Future.html 4. S. Hayes (2006), “Piracy Stats Don’t Add Up,” http://www.australianit.news.com.au/story/0,24897,20713160-15306,00.html 5. brownlee (2006), “Pirates to Buyers Ratio for SiN Episode 1? 5:1,” http://kotaku.com/gaming/piracy/ pirates-to-buyers-ratio-for-sin-episode-1-51-190178.php 6. Blizzard (2004), “StarCraft and Warcraft III Accounts Closed,” http://www.battle.net/news/0403.shtml 7. K. Gillen (2008), Wardell: “Piracy Is Not the Primary Issue,” http://www.rockpapershotgun.com/2008/03/12/wardell-piracy-is-not-the-primary-issue/ 8. Cho J. (2008), “Nintendo Wii Ready for Korea Debut,” http://www.koreatimes.co.kr/www/news/biz/biz_view.asp?newsIdx=20735&categoryCode=123 9. C. Ciabai (2008), “Nintendo Starts Epic Battle Against R4 Piracy—The Fight Is On!,” http://news.softpedia.com/news/Nintendo-Starts-Epic-Battle-Against-R4-Piracy-90953.shtml 10. A. Varney (2006), “StarForce Must Die,” http://www.escapistmagazine.com/articles/view/issues/issue_72/414-StarForce-Must-Die 11. EFF (2005-6), “Sony BMG Litigation Info,” http://www.eff.org/cases/sony-bmg-litigation-info 12. Polybren (2008), “Mass Effect, Spore DRM Loosened,” http://www.gamespot.com/news/show_blog_entry.php?topic_id=26385172 13. ESA (2007), “Video Game Industry Applauds Game Pirate’s Sentence,” http://www.theesa.com/newsroom/release_archives_detail.asp?releaseID=20 14. S. Davis (2006), “Modchip Manufacturer Fined $9 Million—Only 332 More Pirates to Go!,” http://playnoevil.com/serendipity/index.php?/archives/846-Mod-Chip-Manufacturer-Fined-9-MillionOnly-332-More-Pirates-to-Go!.html 15. Nintendo (2008), “Nintendo Anti-Piracy,” http://ap.nintendo.com/index.jsp 16. D. Roth (2005), “It’s... Profitmón!,” http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363101/index.htm 17. Wikipedia (2008), “The Plant,” http://en.wikipedia.org/wiki/The_Plant 18. G. Sandoval (2008), “Radiohead Won’t Repeat ‘In Rainbows’ Giveaway,” http://news.cnet.com/8301-10784_3-9932361-7.html 19. Nine Inch Nails (2008), “Ghosts—Order Options,” http://ghosts.nin.com/main/order_options 20. G. Fowler (2006), “Disney Fires a Broadside at Pirates,” http://www.chinadaily.com.cn/world/2006-05/31/content_605106.htm

5

Distribution Piracy

ntil the recent rise of digital distribution, games were available via CDs, DVDs, floppy disks, and proprietary game cartridges. Blank media that can be purchased for pennies, while good for game publishers, also makes piracy economically viable and trivial to implement. There are three ways to fight content duplication:

U

Prevent duplication Detect duplication Use a key that is difficult to duplicate or ignore

P REVENTING D UPLICATION Preventing duplication has become a bigger challenge as games have moved to standard physical media and digital distribution. Originally, many games used proprietary distribution technologies (game cartridges) for a number of reasons, including fighting piracy. The only major game platforms that still use proprietary distribution systems are handheld game consoles. The game cartridge from the Nintendo DS and Sony’s PlayStation Portable (PSP) UMD disk are probably the last generation of proprietary physical media. One important factor is cost. The cost of data storage has plummeted even faster than improvements in processing power and graphics. When storage was expensive, it made sense for game companies to have their own proprietary systems, especially because this had a collateral anti-piracy benefit. Pirates had to basically operate a factory to make counterfeit game cartridges. Widespread, modern outsourced, and low-cost manufacturing effectively eliminates the last vestiges of anti-piracy benefit from using proprietary media.

32

Chapter 5 Distribution Piracy

33

Other anti-piracy techniques take advantage of the way media is physically duplicated to prevent making a useful copy. Videotape protection systems work on this principle. For digital media, there have been several anti-duplication techniques that work by modifying the master CD or DVD during the production process. Other approaches stretch the CD and DVD standards in unconventional ways such as manipulating low-level indexes and offsets to hide portions of the media from standard duplication techniques. The problem with this tactic is that not every product implements all portions of the standard specification the same way, resulting in unpredictable disk failures and customer complaints.

D ETECTING D UPLICATION If you can’t protect the distribution media itself, another approach is to protect the data and detect duplication. The simplest way to do this is to simply label the data as “do not duplicate” so that standard media players will not read or process the data. The regional encoding system used for DVDs that prevents disks formatted for different parts of the world from being played in players for other regions is the most familiar example1. Ironically, some early Sony PlayStation 2s ignored regional coding information for DVDs—a problem that was quickly corrected once it was identified. The most notorious anti-piracy product in the game industry, Starforce, used this strategy (among others). It actually modified the low-level software (drivers) for PC DVD players to detect whether a disk was “Starforce protected.” Although this detected some piracy attempts, it also caused problems for other legitimate applications. The most recent example of this approach came to light through a successful attack on Microsoft’s Xbox 360 console. The Xbox 360 uses standard DVDs for distributing games. DVDs include low-level information that describes the content on the disk so that it can be handled by the appropriate application software in the console. Disks are labeled as music CDs, movie DVDs, rewriteable DVDs, and Xbox 360 game disks. Microsoft has always used digital signatures on Xbox 360 game files to prevent their modification. However, the low-level disk label is not protected. The label is part of the DVD media specification, and Microsoft wanted to use standard DVD players in its console to reduce cost. Hackers took advantage of the ability to update the firmware that is available in most commercial DVD drives. This feature is included for maintainability and to support legitimate updates from the drive vendor. Unfortunately, hackers used this capability to replace the standard firmware with a modified version that reported to

34

Protecting Games: A Security Handbook for Game Developers and Publishers

the game console that disks labeled as rewriteable DVDs were instead reported as Xbox 360 game disks2. This hack has been widely used in Asia and is essentially impossible for the console itself to detect3 (something that can be addressed by a service like Xbox Live, which is discussed in the section entitled “Rich Interaction Systems” in Chapter 9). The power of duplication technologies and cheap mass storage has driven game publishers towards other approaches, particularly in the PC market. All of the things that make a PC useful also make it a powerful tool for piracy—lots of processing power and storage, full access and control of the hardware, and powerful and cheap programming and analytic tools.

C OLLECTABLES , F EELIES ,

AND

O THER S TUFF

If you can’t protect the game media, then you need to find something else that you can protect and tie the operation of the game to it. One of the earliest applications of this strategy was Infocom’s “feelies”4. In the 1970s and 1980s, Infocom produced adventure games that were quite popular. There was no widespread Internet access or even common use of modems, so the local game had to be able to detect if the copy was legitimate. Infocom’s innovative approach was to ship the game with various physical items that were hard to duplicate, yet played an important part in the game and the game experience. Customers valued maps, manuals, decoder rings, and other items that were often tied into game play, and, most importantly, were difficult to duplicate. For a while, game companies went a bit crazy with this approach. Games would require players to type information from game documentation into the application to start or continue play and, at its extreme, players were forced to transcribe entire paragraphs of the manual letter-perfect. In some sense, the rise of collector’s editions today harkens back to this earlier era, but many publishers seem to have forgotten the anti-piracy benefits of physical, tangible items.

D ISK

AS

K EY

Although the CD key is the subject of many complaints today, its early rise was an antidote to the inconvenience and cost of using feelies for authentication. Instead of regurgitating game documentation, players simply had to keep the disk in the computer while they were playing. Initially, the CD was needed because hard drives were too small and expensive to store entire games.

Chapter 5 Distribution Piracy

35

Today, the game installation process still doesn’t install everything from the DVD onto the hard disk. A portion of the game software, or even just a bit of data, is left behind on the DVD and is checked or loaded from the disk when the game is executed. This has become the de facto standard anti-piracy approach for PC games: combining the disk key with some sort of physical or software anti-duplication technology. The rise of the Internet has allowed the creation of another variant of this tactic where the withheld data or code is downloaded in real time from an online server (see the section called “Online Authorization” that follows). Once hard drives got big enough and cheap enough, players didn’t want to have to haul game disks around. After all, if the entire game can be easily stored on the hard drive, who needs a disk? Also, if a player owns 10 or 20 games, she has to keep track of where they all are when she wants to play. Or, even worse, if the customer plays her games on a laptop, the idea of carrying around even a single disk, much less a disk for every game, is very unappealing. Hackers have come up with programs that convince the game that the disk is present or alter the installation process so that items that aren’t supposed to be installed and stored on the hard drive are. These “NO DISK” hacks are terribly popular to this day, even with legitimate, paying customers.

L ICENSE K EYS The license key was developed in parallel with the CD key. This long alphanumeric string allowed the game software to determine whether the user was legitimate or, at least had access to a legitimate game key. License keys have also been used in conjunction with online registration and authentication. A license key is essentially a rather long password and typically works in one of three ways: ID and Checksum Public Key Encryption Online Authorization I discuss each of these methods in the following sections. ID AND CHECKSUM First the key can contain a random ID and checksum. The game program has a mathematical algorithm that the program runs on the random ID portion of the license key to determine whether the computed checksum matches with the checksum provided in the license key.

36

Protecting Games: A Security Handbook for Game Developers and Publishers

The problem with this approach is that hackers often reverse-engineer the process (or game developers are lazy and use a familiar function such as the MD5 standard hash function) and can generate valid license keys on demand. These hack programs are sometimes called, not too cleverly, keygens. This algorithmic process is very tempting for online registration systems because it doesn’t require any storage of keys to validate licenses. Also, distributors and manufacturers can be given the company’s key generation process, which substantially simplifies production: A manufacturer sets up a printer to produce as many license keys as desired. They do not need to coordinate anything with the game publisher, maintain or track how many keys they have produced, store the specific keys that they have produced, or send actual keys back to the publisher to support online registration validation. Also, the game disks are identical, making their production cost low: Generate Random ID Generate Checksum (Random ID) Build License Key = Random ID, Checksum(Random ID)

Verification is also simple: //Checksum algorithm is all that has to be stored in the game software Split License Key into Random ID and Checksum Compute Checksum (Random ID) Compare Computed Checksum with Received Checksum

PUBLIC KEY ENCRYPTION The second license key system replaces the checksum with a public key decryption function (see the glossary). This would appear to stop hackers pretty well. After all, knowledge of the public decryption key does not give access to the secret encryption key: // The game software stores the public key decryption // algorithm and the game’s public key Decrypt License Key with Game Public Key Validate License Key

This just requires hackers to change their tactics. Instead of looking for the checksum algorithm, they simply need to find the stored public key. To complete

Chapter 5 Distribution Piracy

37

the attack, the hacker “finds and replaces” the game public key with one that the hacker has generated. The hacker then uses his own private key to generate whatever license key he wishes. ONLINE AUTHORIZATION The third major approach does not authenticate the key locally, but requires a connection to an online license server operated by the game publisher. In this case, the license key is essentially a password. The game program sends the password to the license server for authentication. Mathematically, the process is identical to the process described for the “ID and Checksum” method, but with the verification carried out at the license server instead of locally: // At some point, the customer enters the license key // into the game application Game Application retrieves License Key Game Application sends License Key to License Server License Server validates License Key License Server sends Validation Message to Game Application Player plays (or not)

The license server can operate just like the local license check, and often does. One advantage of an online license server is that it can detect attempts to reuse license keys on different computers. If the license server stores a list of keys that have been registered, it can reject or take various actions based on a company’s license policy (see the “License Policy” section of Chapter 6). License servers can use two approaches to track keys: a fixed list of issued keys and an algorithmic approach, as described for game application license verification. It is very tempting to use an algorithmic approach to license verification. It requires less storage on the online server and no coordination with whomever is producing the game disks and license keys. The downside of this approach is that it is vulnerable to any exploitation of the key generation process: Once the process is compromised, the license server can only verify the uniqueness of the license keys, not their legitimacy. If, instead, the license server contains a list of all of the license keys that have been legitimately issued, it is much less vulnerable. First, there is no need to create a license key generation algorithm: The keys can simply be stored in bulk. If a key is compromised before it has been issued, it can be removed from the license server list and the company can recover from the compromise or avoid the compromise entirely.

38

Protecting Games: A Security Handbook for Game Developers and Publishers

It is possible for the key producer and license server to use a shared secret key to generate individual license keys. In this case, the two parties share a license generation key (LGK) and a license generation function (license_generator). The license generation function creates license keys based on an index (i) and the LGK: // algorithm to generate the ith license key license(i) = license_generator(LGK,i)

The key producer and license server simply need to exchange the latest index value for the license key that has been generated. The license server can then generate all of the license keys that have been created since the last batch by simply iterating through the new index values: // if last license produced has L and the new last index is N for(i=L+1;i
This has some modest advantages in terms of necessary communications between the license server and the key producer, but does create additional risk in terms of the storage of the license generator key. Developers and publishers can also set up schemes based on the online license registration process to accurately track piracy. Failed license registration attempts do not correspond to individual pirates. Motivated pirates who fail to successfully register a game will likely try and try and try again until they succeed.

WHO OWNS THE PIRACY PROBLEM AND PROTECTING DEVELOPER ROYALTIES I’ve had a number of discussions with game developers about piracy and, in many cases, they basically feel that piracy, and security in general, is the problem of the publisher. This is fine, up to a point. However, developers often earn royalties based on the number of games sold, so they do have a vested interest in good anti-piracy protection. For example, a developer could use license keys as a way to directly audit game sales—if a license key is valid, then, clearly, the developer should earn royalties for that game copy. If license keys are issued in lots or by using an index-based key generation process, the developer can use the highest license key index as a royalty tracking metric.

Chapter 5 Distribution Piracy

S PLITTING

AND

39

K EY S TORAGE

Keys can be used for game activation, validation for operation, or both. A key for activation is essentially used one time to convince the game software that you have a legitimate license key. This can be done locally or with a license server, as described previously. A key for operation is required each time the game application runs. In order to avoid forcing the users to reenter a license key every time a game is executed, the game needs to store the fact that the game has been activated in some manner. The activation key is an obvious target for a pirate. After all, if the activation process can be spoofed (faked out) in some manner, then the entire license and registration process can be ignored. Some games have moved towards using a realtime check with a license server to verify that the game license is valid each time the game runs. This can be very inconvenient for customers who do not have network access (such as on an airplane or soldiers or others in remote locations). In this case, the game application needs to somehow store the fact that it can’t connect to the Internet and still make a license policy decision. A common approach is to keep a counter of how long it’s been since the application has last been able to access the license server or how many times the application has been executed since the application was last able to be validated. This counter is also a great target for pirates. What to do? Unfortunately, this sensitive information (license key, activation status, last valid server authentication, and so on) ultimately has to be stored on the computer with the game application. Encryption has fairly limited efficacy as a tool because the encryption key has to be present in the game application for the sensitive data to be extracted and, if the key is present, it can be attacked. Protecting a license key is, in some sense, a bit easier than protecting other data since it doesn’t change. A diligent hacker will look for changed data and focus on the changes to prepare an attack. Instead of directly storing an encryption key, the game application can use static, but unique, data on the computer to build the key. For example, most PCs have an operating system license key or other information that is stored within the computer’s configuration information (for Windows PCs, this is the Registry). There are other unique data elements that may be used: MAC addresses for Ethernet cards, hard drive IDs, license keys for a number of common applications, even configuration data stored during the application’s installation. Game developers want the information to be platform-unique so that it is more difficult for a pirate to directly copy the installed game onto another computer.

40

Protecting Games: A Security Handbook for Game Developers and Publishers

Once one or more platform-unique, stable identifiers are found, you can protect your sensitive data by splitting it, obfuscating it, or both. SPLITTING DATA Splitting data is quite easy and fairly effective for small amounts of data, such as license keys. Basically, an application developer “adds” the sensitive data to the unique identifier (UID) and stores the sum of the two: // retrieve unique identifier UID = retrieveUniqueIdentifierX; /**Often it is a good idea to perform some sort of operation on the UID to provide a further simple level of indirection and, often more importantly, make the result the right size to work with the sensitive data. For example, a hash function, such as MD5, is used here. If you do use MD5, it is much better to use a keyed MD5 function. */ ModifiedUID = Hash(UID); /** Input the known sensitive data and add the two together (such as with an XOR function).*/ Protected_Sensitive_Data = ModifiedUID XOR SensitiveData // This data is then stored.

If an adversary reads out the stored data, it does not look like the license key or other sensitive data and it is tied to the specific platform. It is worth noting that sometimes unique data is not stable: Ethernet cards get changed, operating systems get updated, and registries get corrupted. To help ensure a smooth user experience, you can replicate this process with multiple items of unique data and perform a majority vote or other process to improve the reliable recovery of the stored sensitive data. OBFUSCATING DATA There are two kinds of obfuscation to protect sensitive information in a program. Code obfuscation protects against reverse engineering and data obfuscation hides data that is stored locally and protects it from manipulation. It is important to note that these solutions are inherently weak—when the program runs, the code needs to execute, so its underlying logic is present and can be read out (at least at the assembly language level). Similarly, at some point in time the program’s sensitive data needs to be read by the program into the processor’s registers so that it can be used.

Chapter 5 Distribution Piracy

41

The typical way to protect data from being read or altered is encryption. This solution is easy to implement using standard libraries. However, encryption is often CPU intensive so it would have an adverse impact on performance. Also, because the key needs to be present, encryption is only as strong as the ability to hide (or, in this case, obscure) the key. Because of these factors, it often makes sense to use a lighter-weight, non-standard function to obscure the data. The goal is to force the attacker to reverse-engineer the program’s code as well as find the key. As long as the function makes the work associated with extracting the data reasonably hard, it is probably good enough (or rather, as good as it gets!). SPLITTING

AND

OBFUSCATING DATA

It is possible, and can be a good idea, to combine the two concepts—you use splitting to protect the key used for data obfuscation: //Extract UID as above ModifiedUID = Hash(UID); // Retrieve stored data split and recover key SensitiveDataKey = ModifiedUID XOR Protected_Sensitive_Data_Key; // Recover sensitive data SensitiveData = Deobfuscate(ObfuscatedD$ata,SensitiveDataKey); // Validate Data

Validation is an important part of the sensitive data-handling process. The game application needs to know if an attacker has altered the data . A very simple option to protect your data is to store a copy of the data unprotected as well as one that is protected. This makes the unprotected data a very tempting target for hackers and, if they are lazy, they might not bother to figure out that there is obfuscation or other protection being used to protect the sensitive data. Another option is to store the sensitive data encrypted with two different keys. However the multiple versions of the data are stored, the game application then simply compares the protected and unprotected copies of the sensitive data. If they don’t match, there is a problem and the program has likely been attacked. If the program has been attacked, it can take actions to defend itself (see the section later in this chapter entitled “Busted Pirate: Now What?”). The final strategy that can be used is to take advantage of the ordinary file that stores a saved version of a game. Sensitive data can be stored directly or in an obscured form along with the saved game. You can strengthen the security of the sensitive data (and the saved game information) by using a keyed hash or cryptographic checksum on the game-saved data. This can work fairly well, as players want to save their game progress.

42

Protecting Games: A Security Handbook for Game Developers and Publishers

B USTED P IRATE : N OW W HAT ? One of the thorny questions with pirates and other troublemakers in games is what to do with the troublemakers once they’ve been caught. Very often, game developers choose to disable the game application or subtly cripple the program in some manner. Techniques can vary widely, and, since developers really, really dislike pirates, the countermeasures are often quite annoying for the pirates. A notable recent case involved the game Titan Quest, where the developers made the game experience miserable and buggy for game applications that detected that they had been pirated5. The game was leaked onto pirate distribution sites shortly after the game’s launch. The hackers broke the game’s primary anti-duplication system in order to make the game work, but had not removed its more subtle piracy-detection features. As a result, the pirates had a terrible game experience. The unintended consequence of this was that many people who downloaded the pirated game started writing very negative reviews and comments on gaming sites. The security system turned out to be a bit too clever. Instead of convincing pirates to either buy the game or uninstall it, the game rapidly earned an undeserved reputation for being buggy, unreliable, and generally crummy. Prompt, decisive action by the anti-piracy system makes it easier for hackers to analyze and eventually circumvent the security system. Although “soft failures” may complicate the removal of the anti-piracy service, they may actually hurt legitimate sales6. This is the central anti-piracy paradox. It is important to remember that individual players of pirated games are potential customers. After all, they did acquire the game somehow and, if nothing else, successful anti-piracy detection confirms that they are playing the game. Ideally, the game developer and publisher should want to drive the player towards a legitimate purchase. The anti-piracy system could activate nagware to encourage the purchase of the game, show ads for other games or products, and, over time, perhaps even offer the game at a discount (if one is an irredeemable optimist, you could look at a pirated game copy as one whose manufacturing, marketing, and distribution costs are zero).

Chapter 5 Distribution Piracy

43

LOCAL STORAGE AND ONLINE GAMES Most online games store all of the data on the server. This has obvious advantages in terms of security. It is possible for online games to use digital signatures and hash functions (or even encryption) to store data on local players’ computers as a backup and recovery strategy. Conceptually, there is no reason that the backup has to correspond to the specific player on the client computer.

R EFERENCES 1. Wikipedia (2008), “Regional Lockout,” http://en.wikipedia.org/wiki/Regional_lockout 2. J. Reimer (2006), “Xbox 360 Hacked, Microsoft Responds,” http://arstechnica.com/news.ars/post/20060323-6445.html 3. S. Carless (2006), “Exclusive: Xbox 360 Piracy Spreading Fast in China,” http://www.gamasutra.com/php-bin/news_index.php?story=10232 4. Wikipedia (2007), “Feelie,” http://en.wikipedia.org/wiki/Feelies 5. M. Fitch (2008), “Venting My Frustrations with PC Game-Dev,” http://www.quartertothree.com/game-talk/showthread.php?t=42663 6. B. Fox (2003), “‘Subversive Code Could Kill Off Software Piracy,” http://www.newscientist.com/article.ns?id=dn4248

6

DRM, Licensing, Policies, and Region Coding

et me begin by clearly declaring my bias—I am not a big fan of Digital Rights Management (DRM). Most DRM systems misunderstand and misuse cryptography. They cause more trouble for legitimate customers than they gain from preventing piracy, if they work at all. I’ve been asked on a number of occasions to recommend DRM systems and my short, flip answer is “Pick the cheapest one that works with your business model; that way you won’t be too disappointed when it fails.”

L

T HE B ASICS

OF

DRM

The full answer is more complicated. Technically, DRM systems are divided into two portions: the protection mechanism and the license policy. The protection mechanism is the technique (or set of techniques) used to identify the item being protected and specify its “rights.” The license policy takes this “rights” identification information and enforces it. In practice, DRM systems are often combined with digital distribution and payment processing systems. For many game developers and publishers, these features may ultimately be much more important than the DRM security tool itself. I’ve been monitoring a number of these companies for several years and it seems that the successful ones have evolved into general-purpose digital media distribution and sales services. The ones that have remained focused purely on DRM seem to fade away.

44

Chapter 6 DRM, Licensing, Policies, and Region Coding

45

The essential problem with DRM is the same problem we face with obfuscation: at some point the protected digital asset has to operate locally on a customer’s computer. This is where it is always attackable because hackers can do any of the following: Disable the DRM system. Convince the DRM system that everything is okay. Modify the DRM system so that it always reports that everything is okay to the main application. Let the DRM system operate but have the main application ignore the security violation. Simply strip the DRM from the main application. To add insult to injury, once a DRM system is compromised, the protected application is compromised permanently. Almost every DRM provider claims that it can recover from a compromise or failure. The DRM system can recover, but the security of the protected application is compromised permanently.

W HY DRM D OESN ’ T W ORK The very same cryptography that effectively protects communications and digitally signs documents fails miserably in enforcing digital rights. The reason cryptography is a powerful tool for security is that it basically turns problems for spies and hackers into problems for PhD mathematicians and lots of supercomputers. This works because standard cryptographic systems involve multiple parties that are engaged in some sort of transaction that they are trying to protect from outside parties. An encryption system uses cryptography and a key to allow communications between “good guys” to be protected from “bad guys” who are outside of the communications network. Encryption systems don’t work if one of the insiders is a bad guy: The bad guy can read or alter the data. I have seen people propose using encryption to protect game high scores. This doesn’t work because the person who wants to cheat is an insider—the player who wants to post an illegitimate high score—and this person can freely alter the data before it is encrypted. Digital signatures can allow the recipient of a piece of data to know that it is from the sender and that it has not been modified in transmission. If the sender sends malicious data, the digital signature process does nothing to distinguish between “good” data and “bad” data, just as with the encryption scenario. The recipient may

46

Protecting Games: A Security Handbook for Game Developers and Publishers

know whom to blame, but that is different from being able to determine that the data is “good.” Conversely, if the recipient wants to use the data even if the digital signature fails, there is nothing to prevent her from doing so. Again, the system fails if the bad guys are the ones creating the signature or if the bad guy is being “forced” to verify the problematic data. Pretty much every DRM system relies on cryptography to enforce its security. Unfortunately, the “bad guy” is the person trying to use the protected application and is definitely an insider (it is his computer, after all). All of these types of attacks can be used despite the presence of encryption or digital signature functions because the problem isn’t a math problem; it’s a hacker problem. Even if, somehow, you could protect the code, there still has to be a key somewhere. If the protected application is digitally signed by some authority, that authority’s public key is present. The simplest attack on digitally authenticated or encrypted data involves replacing that public key with an “evil authority” public key, for which the hacker knows the private key. The hacker can then sign and legitimize any data or license policy. In general, although DRM systems may include cryptography, they are not systems that can be cryptographically secured. There are ways around this problem. Hardware can make it more difficult to find or modify the software or keys. However, the most effective solution is to enmesh the users in a system where external parties verify their legitimacy. I call this a “rich interaction system” in Chapter 9.

T YPES

OF

DRM S YSTEMS

There are numerous DRM products and they work in extremely different ways. Rather than discussing individual DRM solutions, I’ve broken DRM down into a set of major approaches: Any specific product may combine one or more of these techniques. Also, a DRM solution may be combined with one or more of the media and licensing techniques I discussed earlier. FINGERPRINTING

AND

COVERT FINGERPRINTING

With fingerprinting, each copy of a work of digital media has a unique identifier (the fingerprint) embedded within it. Fingerprints are actually placed inside of the media file—modifying it in small, almost undetectable ways that ensure that the fingerprint is present without distorting the base media (usually music or graphical assets). A better term would really be a “tattoo,” as this data is not inherent in the digital media.

Chapter 6 DRM, Licensing, Policies, and Region Coding

47

Fingerprint systems can be attacked in three ways: by modifying the media, so that it is no longer fingerprinted, but still usable; by altering the identifier, so that it can be used with another media player; or by changing the media player, so that it ignores the fingerprint. Like fingerprinting, covert fingerprinting embeds unique identifiers into each individual piece of digital media. With this technology, customer media readers do not process or identify fingerprints. Rather, media distributors or their agents scan widely distributed copies and use the covert fingerprints to determine the source of unauthorized copies. Covert fingerprinting is actually a fairly effective solution for detecting unauthorized copies, especially to detect where a compromise occurred during the production process or during a limited release (to reviewers or external testers). For example, the Academy Awards sends out special DVDs and players to its members during the voting process. By using a covert fingerprint, they could determine if a specific copy of a DVD had been misused and take appropriate action against that member. As discussed in the “Attacking Fingerprints and Watermarks” sidebar, it is important that hackers not have multiple, distinct copies of the media file or they may be able to corrupt the fingerprint and make it much more difficult to track down the culprit. The biggest problem with fingerprint solutions is that they are somewhat expensive. One of the key advantages of license keys is that they are a small, efficient way of making a product unique. Fingerprinting systems have to be constructed carefully so that they don’t disrupt the user’s experience with the protected media—graphics can’t be visibly degraded and sounds can’t be audibly distorted. In addition, most fingerprinting systems require a standard license key or unique user identity to function. WATERMARKING A watermark is very similar to a fingerprint: It is information that has been embedded in all copies of a piece of digital media. The information is either identical for all copies or divided into large categories (the most familiar example is the actual “watermarking” found in paper currency). Watermarks are much easier to produce than fingerprinted systems, because designers have to create fewer distinct versions. As with covert fingerprinting, watermarking is more of a forensic or anticounterfeiting tool than a digital rights security tool—only special devices can read the watermark and determine the authenticity of a copy. Theoretically, watermarks can be used for digital-rights protection; however, the fact that the watermark is common across all copies and that all audience media players will have a copy of the “watermark checker” invites circumvention.

48

Protecting Games: A Security Handbook for Game Developers and Publishers

ATTACKING FINGERPRINTS AND WATERMARKS One of the things that continues to surprise me is how little time security designers spend thinking about how a hacker could attack their systems. The power of fingerprints and watermarks comes from the difficulty in finding them: If they are easy to find, they are easy to remove. They are just bits, after all. So, if you have a basic item of digital media (DM), then you add a fingerprint to it by altering it into fingerprinted digital media (FDM) for each version (i): FDMi = DM + FingerPrint(i); // for each version i

The security designer looks at this and says, “Wow, given that the digital media is big and our changes are small, how in the world could a bad guy find the fingerprint and remove it?” Buy two copies. Hackers are lazy. Why work to find the fingerprint when you don’t have to? So, for the cost or effort of getting two distinct copies of the target digital media (FDM1 and FDM2), they can now attack it pretty easily. Let’s just “add” the copies together. (FDM1 + FDM2)

By using the exclusive or (XOR) function (which basically detects where bits are different), you can find the fingerprints… almost: FDM1 + FDM2 = DM XOR FingerPrint(1) XOR DM XOR FingerPrint(2) =

FingerPrint(1) XOR FingerPrint(2); // the two copies of the digital media (DM) cancel out

You don’t quite have either fingerprint, but you are pretty close. Basically, you know where all the bits are in one fingerprint, but not in both. If you randomly “flip” the bits associated with this combined fingerprint in copy 1 (FDM1) or copy 2 (FDM2), you can hopelessly garble the fingerprint so that it is not readable. Basically, this is like taking sandpaper or acid to your own fingerprints, but much less painful. If necessary, you can buy more copies and run experiments until you have successfully stripped the fingerprint. It is also possible to introduce the fingerprint prior to encoding or compressing the media. This can result in seemingly substantially different outputs. However, if the media can be returned to any sort of standard form, the fingerprint can still be removed or rendered ineffective.

Chapter 6 DRM, Licensing, Policies, and Region Coding

SECURITY LABELS

AND

49

TAGS

Security labels or tags are supplementary tags that are appended to a piece of digital media and may also be bound to the digital media by a digital signature (see the “Digital Signatures” section that follows). Tags are typically used with proprietary encoding and post-processing systems to limit copying or other use of digital media (the regional encoding for DVDs is probably the most familiar example). They can also include simple serial numbers or other identification and use control information. Tags can be easily removed or altered, as they are a distinct portion of a digital media file or stream. They are often clearly identified and explained in the public digital media specification (in contrast to watermarks or fingerprints). Nearly every DRM or other licensing scheme includes some sort of labeling and tagging system. Some developers attempt to conceal this information, but, ultimately, it must be readable by the local digital media player or license policy application, and will eventually be reverse-engineered. Sometimes, security information needs to be altered in the local copy of a piece of digital media. Dynamic security labels or tags are simply labels that can be modified by a local media player or the media itself, if it is an executable program, like a game. The most familiar examples are licensing systems that restrict the number of copies that can be made of a piece of digital media. Other examples that could be potentially more interesting uses of these labeling systems are “buddy” versions of games (where copies are allowed that are tied to a local “master” copy so that friends can play together with only a single, purchased copy of a game), family licenses that allow a set of authorized copies to be built from a single piece of digital media, or affiliate licenses that allow consumers to earn revenue from the individuals to whom they provide a copy of the media. DIGITAL SIGNATURES Digital signatures wrap a piece of media with a tag that includes additional information but is also derived from the media itself. Digital signatures are usually combined with one of the other means of protection. The important attribute of signatures is that a signature verifier cannot also create a valid signature because the system is based on public key cryptography. The problem is, as discussed, that the local public key can be replaced, or the entire signature process can be circumvented. ENCRYPTION Encryption is the use of a cryptographic function in conjunction with a secret key to protect data from being read by anyone without the secret key. The problem with

50

Protecting Games: A Security Handbook for Game Developers and Publishers

protecting digital media is, of course, that the “secret key” somehow has to exist in every copy of the digital media. Technically, this means that from a digital media protection perspective, there is no difference between encryption and proprietary encoding. PROPRIETARY ENCODING Proprietary encoding is the use of a distributor-controlled format for the distribution and a proprietary player that is required to read the digital media. Proprietary encoding can be used in conjunction with other DRM and security techniques. For games, Adobe’s Flash and Shockwave file formats are the most familiar examples. In the traditional PC games and console markets, Epic Software’s Unreal game engine is being used so widely that it may be becoming a de facto standard for the latest generation of games. The practical problems associated with proprietary encoding include the limitations that they impose on artists and distributors for the production and control of media. For example, Adobe’s Flash application, although it is very popular on the web, was not immediately supported by Apple’s iPhone. Other complications include allocating royalties to the owners of the encoding technology. The recent battles between Blu-ray and HD DVD disk formats, royalties on blank disks and tapes, and the battle between VHS and Betamax are all examples where proprietary encoding has created larger business problems. Excepting the iPhone platform, Adobe has largely avoided many of these issues with its proprietary products because of its business model—selling development tools while giving away the media players. The security problem with proprietary encoding schemes is that these schemes are vulnerable to reverse engineering: DeCSS allows DVDs to be read and processed in software by PCs with open source tools. In the hands of pirates, these tools can be used to regenerate the media into any form and format desired. DeCSS showed that the reverse engineering of the DVD proprietary encoding system was not difficult and we are already seeing similar weaknesses in the “next generation” formats: Blu-ray and HD DVD. Virtually every music-related DRM system seems to be regularly hacked and, in most cases, the media can be extracted into a standard format such as an MP3 file (this is not a problem for traditional games that are implemented as custom software). OBFUSCATION Obfuscation (also discussed in Chapter 5) is an anti-reverse engineering technique that protects the underlying media from being easily parsed or edited. Obfuscation is essentially an analog to old physical media security systems. This technique typically relies on very low-level machine language and file specifications to alter a

Chapter 6 DRM, Licensing, Policies, and Region Coding

51

program or data so that it yields the expected result, but the result is computed or stored in a manner that is difficult to understand without extensive reverseengineering. Obfuscators are just that—they obscure information; they don’t encrypt it. In and of itself, obfuscation is not really an anti-piracy technique since a copy of an obfuscated application or media will continue to work as expected. Obfuscation is used with other anti-piracy techniques to attempt to conceal the location, structure, and operation of the overall DRM system. Because of the inherent weaknesses of many DRM systems, the security of the DRM system is actually only as strong as its obfuscation, not the cryptography or other techniques. SPLIT DELIVERY Split delivery is a wonderfully straightforward tool. This technique works by limiting the digital media that is distributed to a person to only the portions that they have paid for (or are available for free). Instead of looking for a clever security technique to disable code, features, levels, or assets that a person hasn’t purchased, you just don’t send the un-purchased material to them. A number of game demos and casual games use this strategy. Many DRM systems also include an online component that operates as discussed in the section addressing license keys (Chapter 5). Digital signature systems, encryption, fingerprinting, and any other system whose security includes the notion of unique identity need to be concerned about the registration problem (see the section called “The Registration Problem and Identity Management Systems” in Chapter 29).

L ICENSE P OLICY The license policy is the most important part of any DRM system. It is the embodiment of a company’s business model. The protection mechanisms are the means to enforce this policy. If the DRM tool doesn’t support the licensing policy that the business needs, it doesn’t matter how effective the protection mechanisms are; the security system will not be effective. When I first started in the security field in the 1980s, one of the major topics was computer security as embodied in “The Orange Book”1. This volume specified a sequence of security grades for computer systems: D, C1, C2, B1, B2, and B3, with A1 being the highest. There were two security policy models included in “The Orange Book”: DAC and MAC. Discretionary Access Control (DAC) is similar to the project-oriented privilege structure that is familiar in UNIX, Windows, and other commercial operating systems. Mandatory Access Control (MAC) is structured

52

Protecting Games: A Security Handbook for Game Developers and Publishers

like the classification system used in the military—Unclassified, Secret, Top Secret, and so on. The DAC security policy was associated with the “lower” security levels of C1 and C2, whereas MAC was associated with the “higher” security levels B1 through A1. Even then, I was puzzled as to why MAC was somehow superior to DAC. These are simply different security policies. Neither is inherently better than the other. Many DRM products continue this flawed model of confusing security mechanism and security policy. Many security developers spend most of their energy on implementing security mechanisms, but they spend little thought on business models, revenue streams, and usability. This hurts the overall effectiveness of many DRM products substantially, as the DRM purchasers are unable to alter the DRM tool’s license policy. These awkward combinations of the digital rights (license policy) models with enforcement mechanisms restrict game providers and publishers from running their business as they see fit. They can only offer the services that their DRM vendor or internal developer chose to implement in the way the DRM provider implemented the services. Even worse, the DRM vendor’s revenue model can force the media publisher to price goods and services in a way that may damage their success in the market. This is lost opportunity as the game industry is in a period of intense innovation in business models and pricing. The system really should be reversed. The license policy design should be the central feature of a DRM system with the appropriate enforcement tools incorporated as needed to support the publisher’s business model. The movie industry’s use of DVD regional encoding has largely functioned as planned—a way for the industry to control release schedules and pricing to support widely different markets —even though it has been technically “broken” by hackers. It works because the business model matched the security technique chosen. The following are some of the options for controlling license policy: Regions/Markets—Just as with DVDs, publishers can control the release and use of different versions of a digital asset based on the market it is being used for. Note: This does require that the digital media player be able to determine which market the player is associated with. User Types—It is possible to categorize users and unlock features based on those categories. For PC games, it may make sense to distinguish between Internet Café PCs and home PCs to determine which sorts of features and configurations the publisher wants to support in each. One could even extend this to individual customers.

Chapter 6 DRM, Licensing, Policies, and Region Coding

53

Platform—Certain platforms or digital asset players may be subject to restrictions. For example, an arcade game machine has a different business model tied to metered play, whereas a console or PC often has a purchase-based model. Installation—The Blu-ray system has the ability to “key out” certain players because they have been compromised or associated with piracy. Digital media can include information to forbid or allow specific players. Also, license systems can restrict the number of reinstallations associated with a given platform, user, or license key. Tiered Distribution—One of the interesting capabilities of game handhelds is the ability to allow players to share a single, licensed copy of a game in order to play together. The subordinate players connect to the main player and download a special, limited version of the game. This could be extended for PC or other console games as a marketing strategy or as part of a peer-to-peer distribution system. Feature Versioning—Licensing systems are well suited to controlling which feature sets are enabled for an application. Just as with many of the licensing options, in some cases it is possible to implement controls directly at a specific media player by only distributing the features that are needed to that platform. This has the advantage of forcing hackers to somehow actually acquire the media that they want, not just figure out how to unlock features that are already present. Validation/Registration/Activation—License policies can control how the digital asset will behave if validation, registration, or activation has not been completed. This is often done to provide a gracefully degrading user experience in case of non-malicious situations (such as Internet access being unavailable for a period of time or, as often happens with new game launches, online license servers being overloaded). Unfortunately, malicious users can sometimes exploit these modes of operation. They force the system into triggering the alternate policy through tactics such as simply disconnecting the computer from the Internet. Live Connection—Certain games require a live connection, often for license control purposes. Timers, Clocks, and Counters—Key parts of many more sophisticated license policies are timers, clocks, and counters that track the status of the various policy restrictions included in this list. Game demos that are restricted to allow a certain number of hours, days, or even minutes of play are the most familiar example. The main challenge for a system that uses these changing attributes is that timers, counters, and clocks are obvious targets for hackers.

54

Protecting Games: A Security Handbook for Game Developers and Publishers

Content—Digital assets, for convenience, may include material that is not always accessible to all customers. One could argue that unlocking levels through game play is an example of this type of control, but game demos also restrict content. Sometimes they do this by requiring additional assets to be distributed and sometimes they unlock the restricted data after payment has been received. There are numerous other license policy areas—parental controls (usage duration, age restrictions, and so on), national censorship requirements (restrictions on violence, language, or sexual content), and payment information. The underlying concept of managing digital rights is not controversial. The critical question and challenge for publishers and developers is to build tools that effectively support their business strategy. The license policy should be the embodiment of the publisher’s business strategy.

R EFERENCES 1. DoD 5200.28-STD (1985), “Trusted Computer System Evaluation Criteria (TCSEC),” http://www.fas.org/irp/nsa/rainbow/std001.htm

7

Console Piracy, Used Games, and Pricing

onsoles can be pirated. There is a huge amount of complaining in the computer games industry about PC game piracy, but console games have always been successfully pirated. Console game piracy has become increasingly serious as game consoles have expanded into mainstream entertainment and new markets. This can be clearly seen by Nintendo’s growing attention to piracy problems1. Products like the R4 cartridge for the Nintendo DS handheld were tolerated for a long time, but these products are now the subject of lawsuits and other restrictive efforts worldwide 2,3. Nintendo is far from alone. The Xbox 360 has had a serious problem with its DVD player since 2006 4 and the Blu-ray disks used in the Sony PlayStation 3 are also being exploited5 (although, so far, not for games).

C

A TTACKING C ONSOLES The very nature of consoles actually facilitates some of their piracy problems. The ease of use that makes them popular also makes them a target. Console users simply insert a game disk or cartridge and play. This means that if a hacker can convince the console that a disk is legitimate, the game will be permitted to run. There are several methods that can be used to deceive the console. The first attack involves duplicating the game storage media. The R4 cartridge does this by emulating the physical and electrical interface between the game cartridge and the Nintendo DS handheld. However, instead of an official game cartridge, the R4 uses standard Flash memory cards (the same ones used for cameras and music players) that can be updated with whatever games the pirate desires. Balancing ease of use with security is an interesting design challenge. Uniqueness is a very powerful security tool, but it is not always easy to incorporate into a system. For PC games, customers are used to typing in a unique license key when they install the game. Console game players simply want to load the game

55

56

Protecting Games: A Security Handbook for Game Developers and Publishers

media and play. In order to add uniqueness to a console game without disrupting the play experience, some sort of unique, digital license information would need to be included on each game disk or cartridge. However, there is a cost for adding uniqueness into a production line, especially for disks like DVDs and Blu-ray. A cartridge system or Flash memory device could be customized more easily to support a unique identity. The next form of attack is to convince the media player that the counterfeit media is legitimate. This is what happens with the Xbox 360 hack. The DVD player reports back that disks labeled as “Rewriteable” DVDs are instead reported as “Xbox360game” DVDs to the console. Microsoft has made some headway against this problem by preventing the DVD firmware from being updated. However, conceptually, a hacker could always replace a media player with a computer or device that fully emulates the media player interface. The simplest and cheapest way to do this would be to find an alternative DVD player with a bit more EEPROM and RAM (see “Secure Loader and Blind Authentication” in Chapter 14) that otherwise uses the same interface protocols as the standard drive. All DVD drives use fairly similar protocols. A hacker would need to analyze the official Xbox 360 DVD drive interface to determine if anything was non-standard (it is likely that the Xbox 360 drive incorporates a couple of additional commands to distinguish it from a standard drive, although some standard commands may be altered in their format) and then emulate that interface with an alternative DVD drive. Emulators are a particularly challenging problem. Instead of attacking the console, an emulator duplicates the hardware and other features of a console in software. For a long time, emulators were not a particularly serious concern for consoles. Moore’s Law (the number of transistors on an integrated circuit has increased exponentially, doubling approximately every two years), which has been demonstrated by the huge acceleration in hardware capabilities in recent years, means that console games can be emulated fairly quickly: PS1 console games are playable on Sony’s PSP handheld just a decade later6. Even worse, generalpurpose PCs are getting so powerful and inexpensive, it is likely that they will be able to emulate new game consoles even more rapidly. The cost difference between a moderately powerful PC and a console has gone from substantially more than $2,000 to several hundred dollars or less. Finally, hackers can target the console processor and operating system directly. If hackers can change the core operations of the console itself, they can bypass all of the system’s security checks. This can be done by attacking the console’s firmware through traditional software weaknesses such as buffer overflows or through brute force replacement of the console’s operating system via modchips7 or other forms of hardware hacking.

Chapter 7 Console Piracy, Used Games, and Pricing

57

Hardware hacking is difficult. It often requires welding or replacing memory chips or even adding new processors and circuit boards to an existing console. The simplest attack is to replace the ROM memory that stores the console’s software with your own chip. Other attacks take advantage of hardware debug features, unused connectors, and interconnects that can be used to alter the operation of the console. Console developers are aware of these attacks. Once again, the challenge is to keep the cost of the console at a minimum while increasing the efforts required for attackers to be successful. Early versions of most consoles (and other hardware) contain more discrete components and more powerful, general-purpose processors or other programmable components that can be altered with software. This is done to get the product out on the market more quickly, but also to accommodate the inevitable bugs and problems that any new system faces. The flexibility that is needed for these early versions of a console tends to make it more vulnerable to attack. Later, once the design has stabilized, components can be optimized and custom circuits (ASICs) can replace the general-purpose processors to reduce costs. Hardware hacking requires the hacker to have to have some real skill to carry out the attack. First, someone has to do some reasonably serious reverse engineering to find a weakness in the system and implement the attack. Second, the attack needs to be “productized” in a way that is reasonably simple to implement by less skilled individuals (nothing more than opening the console and welding or replacing a chip). Third, the commercial pirate needs some sort of facility to produce any necessary equipment (memory chips, circuit boards, and so on) and numerous local business partners to implement the attack for customers. Software attacks are much easier. The goal is the same as with hardware attacks—somehow bypass or alter the console’s operating system. However, instead of attacking the console, the hackers look for weaknesses in the console or game software that kicks the console into a state where the hackers can run whatever program they want to. Because consoles usually don’t provide a command-line interface for users, hackers have to find their way in through parts of the system that are modifiable: the games themselves, game save files, other modifiable configuration files, and, increasingly, user-created game content. Consoles are fairly special-purpose systems: They run games, they save games, they may play games online, and sometimes they handle other media (like playing DVDs or showing pictures). This limited set of applications makes it easier for the console developer to lock down the hardware platform against attack than it is for a PC game developer to protect their game in a general-purpose computer. This does not mean that consoles are immune to attack.

58

Protecting Games: A Security Handbook for Game Developers and Publishers

SECURE BOOTSTRAPPING Ideally, a console developer would like to consider the entire console as a secure system and believe that no one can get inside the box. In reality, of course, hackers and pirates are willing to crack open the console, even if it will void their warranty. This presents a difficult security challenge. Your adversary can test, swap, probe, and otherwise alter and abuse anything and everything that is in your machine until they’ve beaten your security. (See M. Steil's report 8 for a fascinating, detailed discussion about reverse engineering the Xbox.) They can use part numbers to find technical specifications for your components and, fairly rapidly, completely reverse-engineer your design. Attacking information within a chip is still fairly difficult. This is the premise of products like the Trusted Platform Module (TPM). The notion of “secure bootstrapping” starts with a very small amount of protected memory inside the TPM that is used to get things started. Because this type of memory is very limited and expensive, it is used to authenticate conventional, unprotected memory, which is then used to load the remainder of the operating system. Once the operating system is loaded, regular applications are loaded and run. Another important consideration for a secure bootstrapping system is to make sure that it cannot be forced to revert to a previous version of itself. Sony’s PSP continues to have problems with downgraders that force the platform to an earlier, unsecure version of the operating system. This is because the previous versions of the operating system also pass the secure bootstrapping integrity checks. The way to prevent downgrading problems is that the core, trusted portion of the system must include a version counter in protected memory to prevent the operating system from being rolled back. Interestingly, while a TPM in a console does work for secure bootstrapping to ensure the integrity of the platform’s operating system, it does nothing to stop piracy on a PC because, as noted elsewhere, the entire game still needs to be available to the unprotected computer to execute.

For games to execute most quickly, they are typically given full hardware privileges by the game console. The standard way that a console game works is as follows: The console is started and the game is loaded, it retrieves and loads a previously saved game so that the player can resume progress from an earlier session, and runs until the player quits or the console is turned off. If there is a problem within the game that causes it to crash, a hacker may be able to use that crash

Chapter 7 Console Piracy, Used Games, and Pricing

59

(or even cause one) to knock the console into a non-standard state and take over the console. When an application crashes, it is stopped in a disorderly manner that can sometimes be used to run a different program with the same privileges and abilities as the crashed application. Game developers test the games pretty thoroughly. Sometimes, however, they don’t thoroughly test the process for loading saved games or other external information to ensure that they are not corrupted in some manner. This is where problems have occurred. The role-playing game The Legend of Zelda: Twilight Princess, for Nintendo’s Wii, allows players to name their horses (of course). The game crashes when the horse is given an exceptionally long name and the players later use the horse. This allows hackers to run code of their choice 9. Sony’s PSP has similar Game Save problems associated with the games Grand Theft Auto: Liberty City Stories and Lumines 10. The Game Save problem is a bit tricky for the console manufacturer to protect against. The console operating system can restrict the interface to write and read saved games and, hopefully, seize control back from an application when it crashes. In addition, the PSP had a problem with its image viewer. Certain corrupted TIFF files (a standard image format) can cause a crash and permit hackers to execute whatever code they desire11. Apple’s iPhone and iTouch are vulnerable to a similar attack12. The TIFF vulnerability is almost certainly the result of using a standard, probably open source, image library with a known flaw. In both of these cases, the console operating system should not blindly trust either the image viewer or the game application to behave well. Game Save files are tempting targets for direct attack. Usually, the saved files can be removed from the console via a memory cartridge or SD disk and then modified by a motivated hacker. Today, once one of these hacks has been created, hackers can install the altered save files on any console by using the same type of standard storage cartridges or media. One potential solution is for each console to digitally sign all Game Save files that it creates and bind them to itself so that they can’t be used on another console. This would also complicate the distribution of these attacks by hackers, because the attack would need to be replicated by hand on each target system. In the Zelda scenario discussed, hackers would need to play through the game to the point where they found the horse and name it in order to implement the “twilight hack” on each specific console. This would make the attack “too hard” for most lazy players who might otherwise take advantage of the hack. The clearest way to track the progress of software assaults on a game console is to monitor the “homebrew scene.” Homebrew developers basically spend their time figuring out ways to take control of game consoles so that they can run their own applications (or pirated games) on these powerful, but inexpensive, machines.

60

Protecting Games: A Security Handbook for Game Developers and Publishers

One of the ways to avoid tempting homebrew developers is to offer a safe, but open, interface. Sony did this with its PlayStation 2 platform and allowed developers to run the Linux operating system on the console. Unfortunately, it is not possible to determine if this had any effect on PlayStation 2 piracy. Interestingly, DRM solutions, which do not work so well on a PC, are much more effective in the controlled hardware environment of a console.

T HE U SED G AMES M ARKET Used game sales, like pirated games, don’t typically add any revenue to game developers or publishers. And, as seen by reviewing the financial reports of GameStop, a major U.S. game retailer, used games (both hardware and software) generated $1.3 billion in revenues in 2007 and are responsible for over 48 percent of the company’s profit13. As mentioned earlier, the Entertainment Software Association’s total piracy estimate for the games industry is $3 billion and GameStop is just one retailer among many. Although it is unclear how much of that $3 billion in piracy would convert to legitimate sales even if piracy could be stopped entirely, used game customers are spending money, in retail, to purchase these games. “We have the largest selection (approximately 3,000 [distinct products]) of used video game titles which have an average price of $16 as compared to an average price of $42 for new video game titles and which generate significantly higher gross margins than new video game products.” — GameStop 2007 Annual Report Some industry professionals have argued that measures need to be taken to stop used game sales and others have stated that these sales should simply be ignored. I argue that it is probably worth the effort for developers and publishers to try to capture some of the used game revenue without restricting the ability of retailers, or individuals, to resell games. One of the most humorous parts of this discussion is that, although PC games are the primary alleged targets of piracy, the rise of console games has been the key to the growth of the used game business. Typically, retailers will not accept returns or exchanges of PC games. They are legitimately concerned that the customer took the disk home and copied it. In contrast, console disks and cartridges are perfect candidates for resale: They are compact, fairly easy to inspect for quality, unlikely to be damaged, sell well, and, as discussed here, are more profitable than new games.

Chapter 7 Console Piracy, Used Games, and Pricing

61

“Increase Sales of Used Video Game Products. We will continue to expand the selection and availability of used video game products in our stores. Our strategy consists of increasing consumer awareness of the benefits of trading in and buying used video game products at our stores through increased marketing activities. We expect the continued growth of new platform technology to drive trade-ins of previous generation products, as well as next generation platforms, thereby expanding the supply of used video game products.” —GameStop 2007 Annual Report This is not a critique of GameStop, which is just a publicly traded company whose excellent annual reports clearly demonstrate the economics of used console game sales. Blockbuster, Circuit City 14, Walmart, and the other major game retailers probably have similar results. Almost half of GameStop’s profits come from used games (around 48 percent). This has to affect their business strategy. If they don’t stock that many copies of a new title, customers who want a game that is not available may walk out with another used game that is available immediately. Customers also know that they can wait a week or a couple of months and find most games at a substantial discount—a $16 per used game versus $42 per new game average price. There are ways to earn more revenues from customers without trying to directly stop used game sales. Downloadable content is certainly one way to gain revenues. It doesn’t necessarily deter customers from buying a used game, but it may discourage them from selling the game. Some console game publishers are experimenting with license keys for console games (something PC games have done for a long time) to link a single game customer to a game disk. One twist on using downloadable content is to release multiple, small downloadable items, but only for a limited time. Some MMOs do this for holiday items—virtual costumes for Halloween, flowers for Valentine’s Day, and so on. Although a valentine may be inappropriate for a World War 2 game, limited edition weapons, uniforms, and maps are certainly plausible—with the items available only for a week or month for currently registered and active players. The other anti-piracy strategies discussed for PC games, such as promotions, collectible items, and special editions, are all equally applicable to fighting the used game threat.

62

Protecting Games: A Security Handbook for Game Developers and Publishers

P RICING P IRATES O UT

OF

B USINESS

Price is a great anti-piracy strategy. Low price and convenience works as a way to fight piracy. Apple is now the number one leading music retailer in the US thanks to its low prices and convenience15. iTunes has been growing steadily, even though its FairPlay DRM system has been cracked repeatedly16. The computer game industry regularly touts itself as a competitor to the movie industry. However, in 2006, there were over 1.1 billion DVDs sold for $16.5 billion17 compared to 240.7 million games sold for $7.4 billion18. DVD players and video game consoles have been roughly comparable in price for quite a number of years. The big difference is that a new DVD typically cost less than $20, whereas a new game is priced at closer to $50. Part of the reason for this pricing disparity is history. PC games started off at $50 when they were the only form of entertainment on a computer in the late 1970s and 1980s. At that time, there was no Internet and the number of PC owners was quite small. However, the price really hasn’t changed since that time even though there is a vast range of free entertainment available on PCs (including other games) and phenomenal growth in the PC market as a whole. Some people argue that this is because a game can provide 30 or 40 hours of entertainment while a film only lasts 2 or 3 hours. However, many players only wind up playing games for a couple of hours and, if we used this metric for books, a novel would be much more expensive than a film. In fact, most recreational hardback books or quality paperback books are priced very close to the $20 price of a standard DVD. There is a substantial psychological difference between a $20 and a $50 purchase. I’ll buy a $20 book or a DVD on an impulse, but I pretty much always think about what $50 games I’ll purchase. The rise of “free-to-play” online games has shown that many consumers are quite sensitive to price. The popularity of games like Nexon’s MapleStory and Jagex’s RuneScape has shown that by lowering the barrier to entry for your customers, you can substantially increase your audience while still earning very healthy revenues. Lower prices make piracy and used games much less appealing. Although GameStop and its fellow game retailers can earn substantial margins when the price difference between a new game and a used game is $30, the retail appeal of used games is much less if the new game price is only $20. One of the challenges of experimenting with pricing for console games is the substantial royalties that game publishers have to pay to the console manufacturers. It should give everyone pause when Id Software has threatened to limit the features it is including in its Xbox 360 version of the game Rage because of the per-disk royalties that it has to pay to Microsoft20. Rage is supposed to be large enough that it

Chapter 7 Console Piracy, Used Games, and Pricing

63

would apparently require an additional physical DVD to be played on the Xbox 360 instead of fitting on a single Blu-ray disk for the PS3 console. Also, retail games compete with a wide range of free and inexpensive entertainment options on the PC—DVDs, video-on-demand, Netflix, endless free games online, cheap MMOs, YouTube, and so on. Another possibility is episodic gaming. Episodic games have not taken off so far, although it is intriguing to consider the idea of breaking a game into an initial release (sold for $10 or $20) and then having the remaining levels purchased as downloadable content. Potentially, this could be done for both PC games and console games.

BREAKING THROUGH THE GLASS CASE The high price of games creates an interesting problem beyond piracy or IT security: physical security. Because games are a physically small, high-value item, they are targets for theft. For general retail, theft is approximately 1 or 2 percent of sales, but for games, it is as high as 5 percent. The situation pushes retailers to protect games behind glass cases and forces employees to retrieve the boxes for customers (glass cases can cut sales by 35 to 45 percent, but reduce theft by 90 percent)19. Unfortunately, putting games behind glass substantially reduces impulse sales. Impulse sales are defined as sales where the customer did not visit the merchant with the intent to buy the specific item. Twenty-six percent of clothing sales comes from impulse purchases, but only 6 to 8 percent of game purchases are from impulse purchases. Game companies are experimenting with alternative packaging such as bundling games with toys and other packaging and sales strategies that would allow the games to need less physical protection. Of course, lowering prices and improving retail margins directly could help. A Technical Alternative Another strategy, better suited for PC games than consoles, would be to move product activation from the home to the cashier. Pre-paid cards are routinely activated today during the checkout process. The cashier scans a barcode on the pre-paid card when payment is accepted. This information is sent to the vendor, who activates the card. This same activation process could work for computer games. Game publishers could easily print the game’s license key on its box. When the customer checks out, the license key is scanned and the game publisher’s license server then activates the game.

64

Protecting Games: A Security Handbook for Game Developers and Publishers

This activation process would allow the game to be located in the store with substantially lower risk because possession of the game disk would not be sufficient to activate the game, even if the thief knows the license key. The cashier’s involvement prevents casual theft. The players then enter the license key, as they do today, when they install the game and registration proceeds. Another alternative would be to allow players to activate their games with an affinity membership card at the time of purchase instead of via online registration at their computers. It could even be possible for license registration information to be directly transferred from the merchant to the game publisher.

Chapter 7 Console Piracy, Used Games, and Pricing

65

R EFERENCES 1. C. Dring (2008), “JAPAN: Nintendo Attacks DS Piracy,” http://www.mcvuk.com/news/31376/JAPAN-Nintendo-attacks-DS-piracy 2. B. Ashcraft (2008), “R4 Price Going Up in Akihabara,” http://kotaku.com/5031834/r4-price-going-up-in-akihabara 3. Nintendo (2008), “Court’s Judgment of Illegality of Device, Such as R4, etc.,” http://ap.nintendo.com/_pdf/news/408905229.pdf 4. S. Carless (2006), “Exclusive: Xbox 360 Piracy Spreading Fast in China,” http://www.gamasutra.com/php-bin/news_index.php?story=10232 5. H. Goldstein (2006), “Blu-Ray Already Ripped on PS3,” http://ps3.ign.com/articles/748/748723p1.html 6. K. Orland (2006), “Hack: Play Ripped PS1 Games on PSP [update 1],” http://www.joystiq.com/2006/12/25/hack-play-ripped-ps1-games-on-psp/ 7. Wikipedia (2008), “Modchip,” http://en.wikipedia.org/wiki/Modchip 8. M. Steil (2005), “17 Mistakes Microsoft Made in the Xbox Security System,” http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System 9. WiiBrew (2008), “Twilight Hack,” http://wiibrew.org/wiki/Twilight_Hack 10. A. Linde (2007), “PSP Firmware Exploit Found in Lumines; Sales Jump 5,900% on Amazon,” http://www.destructoid.com/psp-firmware-exploit-found-in-lumines-sales-jump-5900-on-amazon33690.phtml 11. Secunia (2005), “Sony PSP Photo Viewer TIFF File Handling Buffer Overflow,” http://secunia.com/advisories/16922/ 12. R. Block (2007), “iPhone and iPod Touch v1.1.1 Full Jailbreak Tested, Confirmed!,” http://www.engadget.com/2007/10/10/iphone-and-ipod-touch-v1-1-1-full-jailbreak-tested-confirmed/ 13. GameStop (2007), “GameStop Annual Report 2007,” http://library.corporate-ir.net/library/13/130/130125/items/295079/2007annualreport.pdf 14. A. Webster (2008), “Circuit City to Expand Used Games Plans,” http://arstechnica.com/journals/thumbs.ars/2008/02/08/circuit-city-to-sell-used-games 15. Apple (2008), “iTunes Store Top Music Retailer in the US,” http://www.apple.com/pr/library/2008/04/03itunes.html 16. E. Kirk, “App Store’s FairPlay DRM Hacked On Super Monkey Ball,” http://www.iphonealley.com/news/app-store039s-fairplay-drm-hacked-on-super-monkey-ball 17. S. Zeidler (2008), “U.S. DVD Unit Sales Dropped in ’07,” http://www.reuters.com/article/businessNews/idUSN0325539220080104 18. ESA (2007), “Essential Facts about the Computer and Video Game Industry,” http://www.theesa.com/facts/pdfs/ESA_EF_2007.pdf 19. T. Wolverton (2008), “Game Industry Tries to Break Through Glass Wall,” http://www.mercurynews.com/business/ci_10339660 20. N. Breckon and C. Faylor (2008), “Rage Will Look Worse on 360 Due to Compression; Doom 4 and Rage Not Likely for Digital Distribution,” http://www.shacknews.com/onearticle.x/53976

8

Server Piracy

ne of the reasons that companies started to create online game services was that they were a good way to fight traditional game piracy. After all, if a customer has to connect to your server, surely there is no way that she can pirate your game. Although it may be true that the game is truly on the server in a text MUD, for many graphical online games, most of the art assets, level design, and even game logic resides on the client application. And, really, the valuable part of the game is the art and game design. Because so much of the game is often on the client-side, the limited amount of server logic acts more as an online game key. And, as discussed in earlier chapters, there are many ways to attack license key systems.

O

S ERVER P IRACY T RENDS Server piracy has been around for a long time. Massively multi-player games are particularly vulnerable. Early MMOs like Ultima Online have been targeted1, as well as new games like World of Warcraft2. Even smaller games, like Star Wars: Galaxies, have been victims3. MMOs are not the only targets. The unauthorized “BnetD” server emulates Blizzard’s online service for multi-player gaming for Diablo II and Warcraft III 4. It is tempting to categorize pirating single-player downloaded games in Flash, Shockwave, and Java as examples of server piracy. However, in each of these cases, the game is distributed in its entirety to the players every time they visit the web page where the game is located. The absurd confusion about what is actually occurring is obvious when some online casinos call these types of games “no download” games. Of course the game is downloaded; it is just automatically downloaded every time the web page is viewed. For these types of downloaded games, the problem is much more akin to the problem faced when fighting piracy in standard PC games. 66

Chapter 8 Server Piracy

67

Sometimes, these pirate servers are just run for fun. Sometimes, players want to change the game to suit their own desires, and sometimes they just want control: “The RunUO Team has a plethora of things for you to choose from. We deliver an end-to-end solution for your Ultima Online needs. We give you everything from the server software to a client we have written from scratch. If you prefer the EA games client, we even have our very own UO Assist program designed to make game play much easier, called Razor. Below you will find a list of our products and everything there is to know about them.” —RunUO Products Page When online games became more popular and profitable, some pirates moved to run these unauthorized game services for money. There have been pirate servers all over the world. China has been a particular target: A pirated version of Legend of Mir 3 earned its operators 500,000 RMB (around $64,000, a fair amount of money in China) by offering lifetime subscriptions for 300 RMB (around the same amount a legitimate player might pay per month). The publisher, Guangzhou Optisp Company, claimed monthly losses of 10 million Yuan ($1.28 Million)5. They are not the only company that has faced this problem. A pirate server for Ragnarok Online, published in China by Shanda Interactive, was shut down with 260,000 accounts and could support 3,000 peak concurrent users6. China is not alone; there have been pirate server operations shut down in Europe7 and Russia8; the US is not immune either. In 2003, the source code for one of the first globally popular MMOs, Lineage II by NCsoft, was compromised and found its way to a server in China. It was purchased by a Texan in 2004 whose California business partner set up an illegal Lineage II server in the US. They had 50,000 users in 2006, and NCsoft claimed potential losses of $750,000 per month. The FBI shut this service down in late 2006. If the site operator is found guilty, he faces up to five years in jail and $250,000 in fines9. Most MMOs have relatively simple game mechanics, especially the portion that is implemented on the server. These mechanics are often substantially implemented by code on the client computer to minimize bandwidth and processing on the game operator’s servers. This leaves the pirate with a quite tractable task of reverseengineering the simple part of the game—its server game logic—or coming up with plausible alternative server code. This actually highlights an interesting irony about online games. One of the motivations for online games, particularly in Asia, is to fight piracy. However, the move towards simpler games and general stagnation of game design has made it easier to create a knock-off game and steal most of an existing game’s assets.

68

Protecting Games: A Security Handbook for Game Developers and Publishers

One could really argue that what is occurring is not server piracy, per se, but service piracy. There are a number of ways for a pirate to exploit an online game service: Stolen Server Code—Someone has an unauthorized copy of the source code for the server (usually with all of the client art and assets that aren’t protected, in practice). This can occur due to an accidental disclosure (leaving the code on an unprotected server, as with the Lineage II case), theft from the developer by an outsider, or a malicious employee. Reverse-Engineered Server Code—Someone uses the actual game client to reverse-engineer the game server and communications protocols. Reverse engineering is often legal (DMCA raises some real questions about this in the US) and very difficult to stop in practice, as seen with “BnetD.” Blizzard won the case to stop the distribution of this unauthorized version of the Battle.Net server code in the US, but the code is still widely available online. Stolen Art, Music, and Animation (and Plausible Client and Server)—A player with a legitimate copy of the game extracts the game’s art assets and uses them with their independently created game client and server. This is usually trivial to implement, because any legitimate player can collect the game’s entire creative content by simply playing through the legitimate game. This is certainly a EULA and copyright violation. However, the legal case may be very interesting if you require the player to have a legitimate copy of the original game client, especially if the original client is distributed for free. This is not the kind of “interesting” situation that businesses like to deal with. Cloning: Copied Art and Emulated Server—Building game art and animation and game play in the style of an existing game. This is a pure copyright violation. The only way to stop this is via the courts, which may not be effective in many of the jurisdictions that are likely to pursue this tactic. There are several trends that are going to make the server piracy problem worse, not better. China has become very aggressive in prosecuting online game pirates, especially as its domestic online game industry has grown. The rapid globalization of online gaming will likely lead to pirates moving their game servers to countries with immature legal systems. These countries will be happy to host services for online games for a license fee or the promise of tax revenues. The continued success of online gambling in the Caribbean, even in the face of severe sanctions in the US, is a clear indicator of the challenge of jurisdiction for online services.

Chapter 8 Server Piracy

69

Building an online game is gradually getting easier. Services such as Linden Lab’s Second Life, Makena Technologies’ There.com, and Areae’s Metaplace are designed to simplify building online games. There are also open source projects like The Croquet Consortium’s Croquet and Sun’s Project Darkstar, among others. Unfortunately, these same tools can be used to accelerate server piracy projects. Server piracy is going to get worse as these toolsets get better.

INSIDER PIRACY, TROUBLED PARTNERSHIPS, AND ONLINE GAME APPLIANCES Different types of piracy require different types of solutions. Typically, games are lowcost, mass-market items. Thus, there are severe constraints on how much a publisher can spend on security on a per-unit basis. This is not the only business scenario: Some high-end analytic software packages for niche markets are protected by using hardware tokens for license management. In the game industry, licensing large online games, like MMOs, exposes some unique security problems involving licensees and employees of licensees. Publishers of MMOs market their game to the world via an assortment of licenses into specific markets. The most familiar example in the US is Blizzard’s licensing of World of Warcraft to The9 in China. Many Korean and Chinese online game developers are also pursuing an aggressive international licensing strategy. The licensee operator handles localization (customization by language and market) and is much more familiar with important local issues like marketing, payment processing, and usage controls in accordance with national policies. For the licensor, the money is often quite good with substantial upfront fees and regular royalties as long as the game is operated. There can be problems with these relationships. The licensee has to have access to the game and there may be difficulties in the relationship between the companies. Often, the game itself is provided as an executable program without source code to keep the licensee from stealing the game. Although this tactic is reasonably effective, I believe that game licensors should consider shipping their game as an integrated hardware-software appliance. This increases the effort for a licensee to attack the game and makes supporting the game easier (since the hardware and software are controlled solely by the game developer). Also, game appliances can be leased and it may be easier to “unplug” a difficult licensee than it is with a pure software delivery. License fees can be scaled and controlled on a per-appliance basis, something that is much more difficult to do with a software-only delivery. A game appliance is easier to visit and audit and, if properly designed, there is less risk of a licensee employee extracting the game executable.

70

Protecting Games: A Security Handbook for Game Developers and Publishers

Increasingly, casual MMOs are moving to a peer-to-peer type architecture. They do this by building games that don’t require a very large number of players to interact together simultaneously, such as 2 to 16 players. This will make locating the pirate central servers more difficult, as the size of the central server infrastructure is smaller and can more easily be relocated. Also, casual games can be emulated fairly easily and have their art assets looted to incorporate into an independent game. Many of these casual games are built using tools like Adobe’s Flash and Shockwave, which have long been targets of reverse engineering to extract application code and asset theft. The growth of debit, anonymous, and casual online payment systems makes it much less difficult for server pirates to monetize their service. Ironically, the move to “free-to-play” business models makes this less risky, as there is a smaller outlay to participate in the pirated service. Customers are less concerned that their payment account will be looted by the merchant, as this is exactly the type of small-scale, high-risk transaction that these payment systems were designed to secure. One of my personal favorite anti-server pirate measures is a strong economic or status system, be it a rich in-game system, such as with CCP Games’ EVE Online, the entire Free-to-Play business model, badges and achievements ranking systems, or even gold farming. Although the software for these games and social systems may be easy to reproduce, the scale and vibrancy of the community and economic system makes such piracy largely meaningless. In these cases, server piracy is reduced by the presence of a big, visible, and fun-to-use status system with economic rewards. The most obvious “proof” of the effectiveness of the power of a strong economic system is the irrelevance of piracy in the world of online casinos or, less extravagantly, skill games and casual game portals. In most of these cases, the actual games and game software are easy to steal or duplicate. It does not matter; the service is its economic or status system, not included game or games. I will discuss this strategy at greater length in the “Rich Interaction System” section in Chapter 9.

A UTHENTICATING

THE

S ERVER

As seen from the previous discussion, server code can be compromised in a number of ways. If the server code or a game server is compromised, it is important that the game service be able to recover. Online games are increasingly moving to a peer-to-peer (P2P) architecture, particularly in Asia, as the cost of running large, centralized server farms is growing and games can have hundreds of thousands of concurrent users. A P2P infrastructure is especially common for free-to-play games or other non-subscription games that have don’t have a reliable way to recover their costs of operations for all players.

Chapter 8 Server Piracy

71

Most of the security focus for online games is on authenticating the player, and sometimes the client software, to a server. There is also substantial benefit to be had from authenticating the server to the client or binding clients together with the server in a peer-to-peer system. This technique is useful beyond the strict realm of server piracy and should be part of any online service. The power of authenticating the server to a client is that it more tightly binds the two together into an integrated game service. This is exactly what a good license server strives to do when it verifies licenses for a conventional software application. With good key management, cryptography can be a useful identity tool. Most of the time, it focuses on identifying the client to a server, but the techniques can work both ways. For example, the game client software can include the game server public key in its code to be used as part of the login process. This can be used to verify the game server to the client. One way to use the game server public key is to modify a standard challenge/ response login protocol. In the standard protocol, the server sends a random challenge phrase to the client. The client uses the random challenge phrase in conjunction with its secret key (or user password) to send a response back to the server for validation: ServerRandomPhrase; // generated and sent to the client Response = SecurityFunction(ServerRandomPhrase,ClientSecret); // created on the client and sent to the server

To authenticate the server to the client, the server uses its secret, private key to encrypt the server’s random phrase. In addition, the server appends a fixed authentication word to the random phrase and encrypts both together. The game client receives and validates this expanded challenge message and, if the new challenge phrase passes, continues the login process: ServerRandomPhrase; // generated by the server as before ChallengeMessage = ServerRandomPhrase,AuthenticationWord; // The authentication word should be a fixed field or a date & time combined with a fixed field or some other data that both the client and server can determine independently Encrypt(ServerPrivateKey,ChallengeMessage); // the server uses its private key to encrypt the challenge message and sends it to the client AllegedChallengeMessage = Decrypt(ServerPubic,Key,ChallengeMessage);

72

Protecting Games: A Security Handbook for Game Developers and Publishers

// the client, which knows the public key, uses it to decrypt the challenge message Validate(ChallengeMessage) = ServerRandomPhrase,AuthenticationWord; // this should pass only if the server private key was used to generate the message. The server private key should only be known by the legitimate server. Response = SecurityFunction(ServerRandomPhrase,ClientSecret); // created on the client and sent to the server

There are other protocols and methods that can achieve the goal of validating the game server to the client as well as the client to the server. Most take advantage of public key cryptography. It is possible for motivated hackers to replace the login code or the public key with their own, but this requires more work on the hacker’s part in order to connect to a pirate server. And, hackers are lazy, just like regular folks. You can fight the replacement of the server public key by using it in a number of places in the game client. It can be simply checked in several places or it can be used to encrypt client game constants and data. An example would be to use the server public key to sign (and maybe even encrypt) data updates from the server. Then, when the client wishes to load or use data from the server, it must use the server public key to recover the data.

BYPASSING ENCRYPTION It is fairly common for online games to encrypt the link between a client and server or between players. In some cases this is done to prevent disclosure of the data being exchanged. Occasionally, there is a legitimate threat that a third party may intercept the data. It is a misuse of encryption to attempt to conceal data from the player in this manner. Typically, the most important security requirement on the connection between a client and server or between peers is to ensure data integrity and provide source authentication. Data integrity is important to prevent manipulation of the data on the network link that could alter player actions or game state. Source authentication is particularly important, because malicious players could spoof source IP addresses or game message headers so they appear to come from another player. This can be a real problem in message-based system designs because the underlying IP address information is often discarded by the higher-level message.

Chapter 8 Server Piracy

73

There are three choices for achieving integrity and source authentication: digital signatures, encryption, and cryptographic checksums (or message authentication codes—MACs). All three techniques work, and may be useful for protecting a game, depending on other system design constraints: Digital Signatures—Use a combination of a hash function and a public key encryption function. Hash functions are often slower than conventional, private key cryptographic functions. If you can ensure the security of the player’s private key, the system can take advantage of a digital signature’s non-repudiation features. Non-repudiation is the property often associated with digital signatures that only the legitimate user could have created the signature, so the legitimate user cannot subsequently deny having signed the message. Non-repudiation is probably more important for skill games or gambling games than in conventional MMOs, as the set of messages could be used to create a “digital contract” to validate the game. Encryption—Encryption’s main benefit is to protect against disclosure to third parties. Certain modes do have the same sort of manipulation detection properties that a MAC has. Encryption can also be used to validate identity by having a unique key assigned to each sender in a client-server architecture. The developer can pre-generate or independently generate the key stream and sometimes operate faster by using a key-additive system. This is an encryption mode where a cryptographically generated key stream is simply added or XOR’ed with the plaintext data. When operated in this manner, the encryption system will only confirm identity, not protect against controlled data manipulation. Cryptographic Checksums—They leave the message in cleartext, but include an authentication phrase using a keyed cryptographic function that detects errors and manipulation. As with encryption, unique keys in a client-server environment can be used for secure identification. Cryptographic checksums can be designed to operate quite rapidly and therefore can have minimal performance impact. In peer-to-peer games, this is typically not a major factor. However, in client-server games, the server may need to process hundreds of messages from thousands of player clients in a very short time.

74

Protecting Games: A Security Handbook for Game Developers and Publishers

One of the reasons I recommend cryptographic checksums for client-server games is that the server can, if necessary, completely ignore the authentication process for player data. Because the message data is provided in cleartext, it can be processed without any problem, even if the message is not authenticated. Therefore, when the integrity and source of the message does not matter or the server is under a particularly heavy load, the server can bypass the authentication step or save authentication processing for later. This is the real work in cryptographic system implementation: the trade-offs between all of the options that are available for algorithms, modes, key management, and so on, to meet your performance and security requirements.

R EFERENCES 1. RunUO,” RunUO Products,” http://runuo.com/products.php 2. Google (2008), Over 1.1 Million Results for ‘Wow Private Server’,” http://www.google.com/search?hl=en&safe=off&q=wow+private+server&btnG=Search 3. Timothy (2006), “Star Wars Galaxies Emulator Test Server Hits Alpha,” http://games.slashdot.org/article.pl?sid=06/06/26/1850213 4. D. Becker (2004), “Blizzard Wins Online Game Suit,” http://news.zdnet.com/2100-9588-5403899.html 5. C. Li (2007), “Man Faces Court for Online Piracy,” http://www.chinadaily.com.cn/china/2007-01/11/content_780574.htm 6. H. Lee (2006), “Shanda to Crack Down On RO Pirates,” http://www.pacificepoch.com/newsstories?id=85006_0_5_0_M 7. videogaming247 (2008), “NCsoft Ganks Illegal Greek Lineage II Operation,” http://www.videogaming247.com/2008/04/10/ncsoft-ganks-illegal-greek-lineage-ii-operation/ 8. S. Davis (2007), “Russian Server Pirate Sentenced to 3 Years in Prison: Reverse Engineered Gravity’s Ragnarok Online Server,” http://playnoevil.com/serendipity/index.php?/archives/1300-Russian-ServerPirate-Sentenced-to-3-Years-in-Prison-Reverse-Engineered-Gravitys-Ragnarok-Online-Server.html 9. FBI (2007), “CRACKING THE CODE—Online IP Theft Is Not a Game,” http://www.fbi.gov/page2/feb07/iptheft020107.htm

9

Other Strategies, Tactics, and Thoughts

here are many ways to attack piracy. The inherent problem that games and other digital media face is that “bits are bits” and there is no way to distinguish between a legitimate copy of a piece of digital media and an illegitimate one. A pirate and a legitimate version of a digital media are, by definition, identical. In essence, strategies discussed so far have tried to find a way to make it impossible to copy something that is easy to copy, or to make things that are identical not identical, or both.

T

When we are fighting digital piracy in this manner, we are, in some sense, denying the very nature and power of the medium. In doing so, we may quite possibly be doomed to fail. Of all the solutions discussed thus far, online gaming seems to be the most effective method to actually fight piracy, both in theory and in practice. However, not all games are, or should have to be, online games. Altering pricing looks like it could also be an effective option, but it may not always be an acceptable business choice.

M EASURING P IRACY How bad is piracy? It is a legitimate question, but without real data on the extent of piracy, it is impossible to determine an appropriate response. The challenge is to find a way to collect good data. The first step is to create or find some sort of unique identifier for each copy of a game that can be collected and tracked. For PCs, it is reasonably easy since most games already include a license key. For consoles, one can probably use any unique ID associated with the console to track which machines the game has been installed on. One problem with consoles is that they don’t have any license key or unique identifier tied to each game copy. Most PCs include

75

76

Protecting Games: A Security Handbook for Game Developers and Publishers

a number of unique identifiers that can be associated with each platform—Ethernet card MAC addresses, Windows License IDs, and so on. If nothing else, the application can generate and store a random unique identifier when it is installed. Of course a pirate (or person with a second PC) may attempt to reuse the license key. If there is an online activation process or online service, it is possible to move from the initial identifier (the license key) to an active platform ID (a unique identifier associated with a specific PC or console). The advantage of this is that the publisher can then distinguish between different installations that share the same license key. There are benefits to allowing every user to at least start the game. After all, as long as such a person is not locked out, he is a potential customer. You can also begin to more accurately gauge how many actual game users there are, who these individuals are, the structure of the game’s informal distribution channels, and so on. If the game locks out users immediately, it may not be possible to distinguish multiple registration attempts by a single user from multiple users each attempting to register. One way to implement this is to allow the game to operate through an initial level even if the player has entered an invalid license key. The game would still do an automated connection and generation of an Active Platform ID. Then, when the player completes the first level, the software can take whatever action the publisher desires. With Internet access, the publisher could also use a GeoIP service (a service that associates IP addresses with approximate geography) to determine approximately where the user is coming from. It is important to track the Active Platform ID separately from any other identifiers. Invalid license keys can be analyzed to determine if they were mistyped or if the player attempted to use a tool to generate fraudulent license keys or reuse keys from other players. The publisher can track actual revenues compared versus Active Platform IDs and compare both to license information. With these three values, the publisher can begin to get a real handle on the extent of piracy as well as the total number of potential customers. The publisher can also experiment with different anti-piracy tools and, of course, techniques to convert pirates into customers.

F IGHTING P IRATE N ETWORKS In the world of digital distribution, publishers can battle pirates directly. Most pirated software is distributed through large peer-to-peer (P2P) networks (many use a family of protocols called torrents). These P2P networks are designed to be highly distributed. Anti-pirates can attempt to identify the individuals downloading

Chapter 9 Other Strategies, Tactics, and Thoughts

77

pirated media (as the RIAA has done for music), seed the online networks with altered game files, or create their own honeypots, which are pirate servers to help identify and track pirates. Developers and publishers may complain about piracy and feel that piracy is fundamentally unjust; they do have a choice. They can choose to battle pirates with rewards or penalties. The primary goal for a publisher is really not to stop piracy, but to maximize the revenues the publisher earns from its products and services. As discussed previously, publishers have sometimes chosen to modify the illegal copies of their games so that the games are unreliable and unstable—with negative consequences because this can hurt the game’s reputation (seen with Titan Quest). The initial motivation for this tactic was to make it more difficult for pirate hackers to locate and remove the game’s anti-piracy measures. Developers should have confidence that their security measures cannot be removed. In this case, the game should clearly lock itself up and indicate that the version has not been purchased or take the other tack and invoke nagware to endlessly remind players to purchase the game. An alternative approach is to distribute only part of the game initially and distribute the remainder of the game to paying customers who have clearly registered. For example, split a $20 game into two $10 game episodes. Requiring clear, detailed, user registration before implementing penalties may be a powerful piracy deterrent, especially if combined with an incentive such as a contest or promotion. A “$100,000 Titan Quest Giveaway” for registered players may do more to increase sales than $100,000 worth of anti-piracy. It is possible to attack P2P networks, as Introversion has shown with Darwinia1. After a pirated version of Darwinia was leaked onto pirate networks, Introversion spoofed the same P2P networks by widely releasing a demo version of its game that was intentionally mislabeled as the complete game. Introversion’s goal was to increase the likelihood that a potential pirate consumer would download the mislabeled demo rather than the actual hacked game. Because the demo clearly ended and was marked as a demo, it did not damage the game’s reputation. The company seemed satisfied with its results, although they have not publicly shared any details on how many sales they gained by using this technique. Pirate and P2P networks are inherently vulnerable to a wide range of spoofing and honeypot attacks. Because P2P networks seek to be anonymous, decentralized, and highly distributed, pirates can’t manage trust effectively. Because there is no central trusted authority, anyone can post, host, and alter files, as well as provide file descriptions. Unlike conventional criminal piracy where pirates earn money by counterfeiting and selling goods, pirates do not earn any money from these P2P networks directly. Therefore, game publishers have more incentive than the pirates to attempt to dominate the P2P networks. In this case, the decentralized, distributed nature of P2P networks gives the publisher an advantage.

78

Protecting Games: A Security Handbook for Game Developers and Publishers

Even if pirate networks move towards reputation systems, an organized effort by a publisher should be able to shape network traffic. It should be noted that there are strong financial incentives for criminal pirate networks that do sell games or operate game services for money. In such cases, pirates will establish trust relationships and often are able to freeze out the publisher’s countermeasures. Honeypot download services are operated by, or on behalf of, the publishers with the goal of identifying pirates for prosecution. They do this by hosting “official” pirated media, often at a number of host locations. Pirate consumers who download the media are subject to tracking by GeoIP to their Internet Service Providers (ISPs). Once identified, the company typically pursues some sort of legal action. The MPAA has used a service operated by MediaDefender2 to fight piracy in the movie industry3. There are several other companies operating in this market at the moment (mid-2008), including MediaSentry and BayTSP. MediaDefender, which has been a bit of a lightning rod in the industry, apparently goes further than the other honeypot services and scans the downloader’s computer for additional copyrighted material that may have been downloaded illegally. This can be quite devious and lucrative: If a media security company installed a monitoring application on any computer that had downloaded a game or other media from one of its sites, the company could catalog potentially compromised items and then contact the media publishers retroactively. The company could offer the publisher a deal such as, “I’ve got a list of 500,000 people who have installed your application— would you like to buy my services?” In some countries, this whole approach may be illegal and considered computer crime. This is a concern with a number of the more aggressive anti-piracy tools that aggressively monitor the activities on a computer, report information back to a remote site, or take measures to shut down “inappropriate” applications. Honeypot services can definitely fall in the legally and ethically gray world of active measures. Installing software on people’s computers, even if authorized in a EULA, could put the company at risk under both civil and criminal law. The pursuit of individuals involved in music file sharing has had limited benefits and has cost the industry a lot of good will. Even worse, such services can damage legitimate businesses: MediaDefender actively disrupts peer-to-peer networks for its clients. There are some legitimate companies that use P2P distribution because it lowers bandwidth costs. This is a growing tactic for lowering the costs of digital distribution, as end users have a lot of bandwidth capacity that they are not using. MediaDefender targeted such a network operated by Revision3 and wound up causing a denial of service attack against the service. This has resulted in lawsuits and an investigation by the FBI for violations of the Economic Espionage Act and the Computer Fraud and Abuse Act4.

Chapter 9 Other Strategies, Tactics, and Thoughts

79

M ULTI -P LAYER G AMING Historically, most computer games were single-player experiences only. Recently, multi-player gaming has grown rapidly in popularity. As noted by many industry observers, commercial single-player games have been dominant because, for most of computer gaming’s short history, bandwidth costs were high. Outside of the realm of computer games, there have always been far more multi-player games than single-player games. Building online multi-player games definitely has its challenges. It is interesting to note that many commercial game developers continue to see multi-player functionality as an added feature that can be dropped if there are problems, rather than as an essential part of the game. This seems quite strange from a pure business perspective, especially in the world of console games. Exit Games’ CEO, Harald Behnke, believes that multiplayer games can earn two or three times as much as single player games (to be fair, his business is multi-player gaming services)5. Other estimates have been closer to 20 or 30 percent in additional sales. At some level the rationale for this is pretty obvious. If I have a single-player game that I really like and I recommend it to my friend, I might simply give her my copy. For a multi-player game, in order to play together, we have to pay together, leading to additional sales. This is not guaranteed, of course. One of the reasons I think cheating is a critical industry problem is that multi-player gaming is a crucial part of making a game more successful. And cheating can easily ruin the multi-player gaming experience and hurt sales. The other great feature of multi-player gaming is that it is much easier to secure against piracy. Even a game with a minimal central matchmaking and lobby service can more effectively control piracy than an elaborate DRM solution. Multi-player gaming is one example of a rich interaction system; there are a number of others.

R ICH I NTERACTION S YSTEM Rich interaction systems (RIS) are valuable game play, game community, and player services that create opportunities for security transactions and incentives for players to participate in the legitimate game ecosystem. Security systems work most effectively when there are multiple interactions— the more often the system is validated, the more security it provides. A bike lock is fairly effective if the bicycle is parked in a public place where plenty of people see it.

80

Protecting Games: A Security Handbook for Game Developers and Publishers

OWNERSHIP MODELS: ACCOUNTS VERSUS PLATFORMS One of the interesting differences between Western gaming and games in Asia is the basic notion of game ownership. In the US, Japan, and Europe, computer games are typically owned when the user possesses a physical copy of a game associated with a single platform. In Asia, the physical or electronic copy of a game does not matter, because the company’s association with the player is based on an online account. Neither model is superior to the other. It is probably prudent for developers to investigate how to support both models of ownership for their games. Asian game developers may be able to tap game genres that are not solely multi-player and Western developers may be able to better position themselves for the rapidly growing market in Asia and other emerging markets worldwide. Although I cannot claim to have taken a comprehensive survey of game developers and publishers, I have studied quite a number of game company sites over the years. The only company that I’ve seen that seems to support both account-based ownership and copy-based ownership, at least to some extent, is Valve Software. Valve explicitly offers support for Internet Café licensing on its site as well as conventional sales, and its Steam online digital distribution service6. One area that has not been explored too much is a hybrid of platform and account-based licensing. Some MMOs do support “buddy” accounts for friends, but there could be more. Easy examples are intelligent licensing and services for people who play on both their home PC and a laptop, family licensing plans for MMOs and other games, and even multi-level marketing and affiliate programs to lower marketing and distribution costs (and even reduce payment risks).

If the bike was locked up in a vacant warehouse and abandoned, no matter how good the lock was, if someone who found the bike and wanted it, the bike would be gone. In some sense, a bike lock does not work because it actually stops thieves. A bike lock works because it is fairly obvious and reasonably time consuming for someone to circumvent it. A bike lock is a thief detection system, not a theft prevention system. Effective protection for games works the same way. Rather than trying to build an unbreakable lock, it is much easier and more effective to build an environment where the security system is public and involves multiple users. It is even better if the security system is part of a visible service that users routinely use.

Chapter 9 Other Strategies, Tactics, and Thoughts

81

At some level, licensing and DRM system providers understand this principle. EA initially configured its DRM system for two games, Mass Effect and Spore, to require the player’s license be revalidated with the online server every 10 days in order to ensure that the license key had not been compromised. After widespread customer outrage, EA and Bioware canceled this tactic7. The problem with their approach was not the underlying technical security strategy, but how players perceived it. Instead of making the security authentication and license check a standalone service (which also makes it a target for circumvention), why not provide a valuable online service that the user wants to participate in? For Spore, at least, creating a valuable online service would be trivial. One of the key elements in the game is the ability to create your own custom creatures and share them. Even though the game is single-player, this shared, online experience is a key part of its design and has already been very successful. There were over 250,000 creatures created the day the product was launched8 and, even better, HP and EA launched a worldwide creature design competition9, with the additional benefit that these players provided the companies with a lot of detailed personal information, no doubt, when they registered. If the game’s license re-verification system was embedded into the utility that allowed creatures to be posted or allowed players to register for the competition, there would have been little or no controversy. The real pioneer in providing this kind of service was Blizzard with Battle.Net10, its multi-player gaming and matchmaking service that launched in 1997. Although Blizzard’s games—the Diablo, Warcraft, and Starcraft franchises—are great and likely would have been quite successful anyway, Battle.Net probably turned them into worldwide phenomena and contributed to their amazingly long shelf life. It is unclear whether Battle.Net was designed as an anti-piracy tool, and there seem to be some security weaknesses in its implementation that indicate that it was designed primarily as an early social network, but Battle.Net certainly has turned into a way for Blizzard to manage millions of players and licenses. Surprisingly, very few game publishers or developers have followed suit and launched similar online services. The notable exceptions are Valve Software’s Steam, Stardock’s Impulse, and, for consoles, Microsoft’s Xbox Live, Sony’s and Nintendo’s online services are not nearly as tightly integrated. The larger the service and the more extensive the stable of games and features, the more effective the system works against piracy. In addition, the larger the service is, the more favorable the economies of scale and reduced cost for a common infrastructure for digital distribution and other online services. A RIS would give a substantial advantage to any large game publisher.

82

Protecting Games: A Security Handbook for Game Developers and Publishers

There are many ways to create a RIS. A RIS does not need to depend on a single service: Game Commerce and Downloadable Content (DLC)—Selling virtual items does not need to be limited to MMOs. Although Bethesda Softworks was criticized for charging $2.50 for horse armor in Elder Scrolls IV: Oblivion, the basic principle of selling items and maps is effective. The two most successful examples are probably Guitar Hero III and Rock Band’s regular additions of new musical tracks to these very popular games. Inter-Player Commerce/Real Money Transactions—MMOs know that players love to trade items. By creating scarcity, players have a reason to interact. Even the humble Nintendo DS allows Pokémon players to trade virtual items. Ironically, although MMOs condemn real money transactions (RMT) for disrupting game play, the RMT economic system creates an additional barrier for potential pirates. High Score and Badge Systems—Players have loved the ego boost of a high score, as well as other rewards and achievements, since the days of arcades. Microsoft has done a lot to revive this with its Achievements system on Xbox Live and pretty much every publisher and online service has followed suit. Tournaments and Ladders—Competition takes the basic pleasure of a high score and raises the stakes. Tournaments and ranking ladders create powerful incentives for players to participate in the official game service. ArenaNet has been running Guild Wars tournaments worldwide with substantial prizes and ongoing publicity for the game. Rewards, Bonuses, and Incentive Programs—Frequent flier programs have been a powerful loyalty tool and incentive to spend more money for fairly modest rewards since American Airlines launched AAdvantage in 1981. Some MMOs have given rewards to long-term players. Contests, Sweepstakes, and Promotions—Contests are a classic marketing tool and they can be effective in binding players to an online service. Operators just need to be careful to ensure that they do not violate the law (see Chapter 31). Game Updates—Regular updates to a game engine to fix bugs or, better yet, improve the game play experience, can also be an effective way to tie players to an online service. Game Asset Updates—Game assets are generally easy to update and compact to distribute. They can also give an expanded game play experience and revive interest in a maturing game system. Asian MMOs have been particularly aggressive in providing certain assets that are available to active players only during certain holidays, such as Halloween or Valentine’s Day.

Chapter 9 Other Strategies, Tactics, and Thoughts

83

Mods—Although there is a lot of discussion about user-created content, it has not had too large an impact on many games. Sharing Spore creatures, as cited previously, is a relatively modest example. Some games have allowed players to create maps and units and even modify the game engine itself. Games like Bioware’s Neverwinter Nights allowed players to create dungeons and maps for the fantasy game and even sell them. Matchmaking and Multi-Player Gaming—The prototypical RIS is a multiplayer service. Games do not actually have to be run on the server. Players can simply use the central lobby service to connect with other players and store game results. An increasing number of Asian MMOs are actually run as peerto-peer games. This allows a more modest central server infrastructure while preserving many of the anti-piracy benefits of server-based gaming. Persistent Player Profiles—My military friends used to joke about some officers’ “I Love Me” walls—the collection of plaques and commendation letters that they had received over their career. We all love to show off a bit and persistent player profiles support this even for single-player games. Microsoft has struck gold with its combination of Gamertags and Achievements. I suspect some players wind up buying the Microsoft version of a console game just because of these features. Machinima—A recent innovation in 3D computer games is the in-game ability to replay, stage, and otherwise manipulate game activities. This has turned into an interesting side industry of its own where players use the game engine to create original movies. Community Systems—Although many games have online forums for the game community, in most cases, they are often web services outside of the game application. Instead, these services could be deeply integrated with the game application itself and integrate machinima, real game avatars, player profiles, and other value-added capabilities. Chat and Buddy Systems—In-game chat and buddy systems are often found as third party add-ons to games. Tying them to the game can support your RIS security objectives. One interesting example is Kongregate’s general integration of a chat feature into all of its games, even if the games are single-player only. Server-Based Gaming—This is the classic strategy of moving game play from the client to the server as seen in MUDs and most MMOs (and discussed previously in the Server Piracy section). If the game itself is on the server, many of the objectives of a RIS are already being met.

84

Protecting Games: A Security Handbook for Game Developers and Publishers

The range of potential services is limited only by the developer or publisher’s imagination. The key to their effectiveness as a security tool is how well and deeply they bind players into the legitimate, licensed game and publisher infrastructure.

D IGITAL A FFILIATE S YSTEM I have read with some interest the debate over digital rights management for the past several years and the technical shortcomings and customer dissatisfaction with the available approaches. The Digital Affiliate System (DAS) design addresses the goals of any digital media publishing business. See Figure 9.1. There has been no evidence that any of the standard DRM solutions, such as software wrappers, digital signatures, encryption, and even hardware security systems, have had anything but a modest impact on individual or organized piracy. Also, all of these solutions “fail deadly” (they don’t “fail safe”); once the security system has been defeated one time, piracy scales towards infinity because there is no way to recover from the security compromise.

FIGURE 9.1 Digital affiliate system (DAS) architecture

In addition, virtually every DRM solution is encumbered by numerous pieces of intellectual property (there are quite a number of DRM related patents and, it seems, more every day) that can make companies a target for litigation.

Chapter 9 Other Strategies, Tactics, and Thoughts

85

A digital affiliate system is not a rights-management solution; it is a revenuesharing system. The “key” to the digital affiliate system is that it is designed to encourage the use of legitimate and protected media assets, no matter their source. The typical DRM system treats the customer as the enemy. Tremendous effort is expended by the publisher and DRM system to prevent customers from using the media asset that they have purchased. DAS treats the customer as a partner and source of additional revenue. When customers get an unauthorized copy of a DAS protected media asset, they have a financial incentive to re-enter the legitimate DAS environment. DAS works by transforming digital media assets into “currency” that can be used for future transactions and have inherent value. Thus, the movie, song, game, or whatever is only part of the value of the DAS Media Asset (DMA). Setting the value of the DMA is the responsibility of the media asset owner; the media player and distribution system simply support the process. Media player creators and distribution services may profit from a portion of the transactions, although this process should probably be as open as possible. The objective of DAS is to create a standard, easy to use, open, affiliate system, not to replicate the proprietary solutions of the DRM. The power of this approach is that the digital media “currency” can be linked to an individual and protected in a database outside of any devices or players that store the DMA asset. Rewards, exchanges, sales, and promotions can thus be used to encourage participation in a legitimate DMA market rather than encouraging customers to defect and find media from the information black market. Once you recognize that it is impossible to actually protect “bits” against someone who has legitimate access to them, any security design becomes much simpler. Ordinary media asset file formats will be wrapped in a simple extended file format that includes copyright information, ownership information, and “where to buy” information. These files are read by a simple DMA player that handles the copyright information and passes the actual file to the appropriate media player application. The center of the DAS system is a DMA registry. The registry handles the association of DMA players with individual owners and the association of DMA assets with these owners. Finally, there can be a DMA market that supports the exchange and sale of DMA assets as well as offers promotions, contests, and other value-added features.

86

Protecting Games: A Security Handbook for Game Developers and Publishers

DAS MEDIA ASSET As noted, a DMA is simply a wrapped media file in any format. The DMA includes: Media Asset—The actual asset of interest to the users Media Asset ID—A unique identifier associated with the media asset Media Asset Type—A tag associated with the media asset to indicate which player or other application will be associated with the asset Copyright Information—The standard legal disclaimer associated with the media asset Owner Information—The registered owner of this copy of the media asset Registry Information—Location information associated with the DMA registry to support the user and media player association Market Information—Location information associated with the DMA market to support purchases, promotions, exchanges, and so on It should be noted that this system does not preclude additional security measures implemented by the copyright holder. Covert fingerprints or other antipiracy features can be embedded in the wrapped media file. DMA PLAYER The DMA player is not an elaborate security system; it simply wraps the media player. The DMA player also knows the owner or owners of the player and can thus determine the validity of the media player’s owner’s access to any DMA. The player can also access DMA registries and even different DMA marketplaces and other value-added services. When the owner of a media player wants to access a DMA, the DMA player simply checks the DMA and determines whether the DMA is licensed by that owner. If not, the DMA prompts the owner to get a license from the appropriate DMA registry. The DMA player does not attempt to prevent the owner from using any media. Also, for art, sound, or other reusable assets, when any of these assets are copied or clipped, they should retain the DMA wrapper information and pass it into the new asset. If the DMA player is not associated with an owner, every time that a user attempts to use the DMA player it will prompt the user to register with a DMA registry. By continually prompting owners to “do the right thing” and, if the appropriate incentives are in place, this simple player can be at least as effective as any of the existing DRM solutions available. Also, because there is no benefit for a user to strip off the DMA wrapper, the user may re-enter the legitimate system at any time.

Chapter 9 Other Strategies, Tactics, and Thoughts

87

DMA REGISTRY DMA assets and asset owners are registered at one or more registries. A registry can be operated by a telecommunications carrier, a digital distribution service, a DMA asset provider, or other third-party entities. These can easily be set up to preserve the privacy of customers, for those who want to preserve their anonymity. More importantly, the registries control the ownership and basic payments for licensing of DMA assets. DMA players can connect to the registries online or handle paper receipts, and other purchase processes can be used to link DMA assets with DMA players and asset owners. MAKING PIRATES

INTO

RESELLERS

The crux of what this Digital Affiliate System provides is not the technical mechanisms described here, but rather the business services that it enables. Because ownership of a DMA can be positively tracked and controlled by the asset creators, multiple strategies for revenue maximization and protection are available. DMA owners who recommend or distribute DMA assets to other users can earn bonuses and rewards. Contests and incentive programs (much like frequent flier programs) can be used to reward registered DMA asset owners. Frequent flier programs show the power of these types of incentives. Even very modest rewards can have a real impact on consumer behavior. All of these revenue streams can be tied to legitimate DMA purchases, making the use of the legitimate DMA system a boon, not a bane, for media users. Even major pirates can become positive parts of the media distribution system by rewarding them as resellers (with higher levels of compensation for large numbers of referrals). And, for those pirates who persist, the value of simply duplicating DMA-protected assets will go down, as many legitimate customers will prefer to participate in the legitimate “media commerce” system.

P LAYING

WITH

S ECURE D IGITAL D ISTRIBUTION

Many PC and even console publishers and developers argue that the game industry is moving towards digital distribution for games. The rapid growth in broadband networks and reduction in bandwidth costs make this a technically viable and sound business strategy. In addition, many see digital distribution as a solution to the challenge of used games and piracy.

88

Protecting Games: A Security Handbook for Game Developers and Publishers

Digital distribution is a particularly appealing anti-piracy strategy for consoles, because it can take advantage of the closed architecture of the console platform to substantially raise the barrier for potential pirates and, if implemented properly, make it quite difficult for them to scale their attacks effectively across multiple users. This section describes a highly simplified, conceptual architecture for a secure digital distribution system oriented towards consoles, although it could be used for PCs. I am going to ignore many details to focus on some key security themes. There are two main elements of this distribution system—the distribution process from the central server to the console and the method to secure local storage within the console. The main objective of the distribution system from the central server to the console is to operate quickly and efficiently, but somehow incorporate some form of uniqueness for each game shipped to each console. In this case, the important requirement for uniqueness is not in the encryption and distribution service, but to be able to determine where piracy may have occurred in an efficient manner. Also, this example is not really concerned about the manipulation of the game code or assets. See Figure 9.2.

FIGURE 9.2 Secure digital distribution system architecture

In order to isolate who may have compromised a game, this example uses steganography to embed a “covert fingerprint” or tattoo (CTAT) into each copy of the game (GAME). During preprocessing, it will determine where you can safely combine these bits with the actual game file to create a “tattooed game” (CTGAME) for each console i: CTGAME(i) = GAME xor CTAT(i);

Chapter 9 Other Strategies, Tactics, and Thoughts

89

You do need to encrypt the resultant file and, inn this case, it makes sense to use a cryptographic function that is error extending, such as a ciphertext autokey (CTAK) or cipherblock chaining (CBC) mode. // Note, both modes require an initial value IV = PT(0) that is passed in the clear or is somehow known to both parties CT(j) = E[PT(j-1)] xor PT(j); // CTAK encryption, where E is the encryption function PT(j) = E[PT(j-1)] xor CT(j); // CTAK decryption. An advantage of this mode is that there is no need for a decryption function. CT(j) = E[PT(j-1) xor PT(j)]; // CBC encryption PT(j) = D[CT(j)] xor PT(j-1); // CBC decryption, requires a decrypt function

CRYPTOGRAPHY: THE DEVIL IS IN THE DETAILS When I was working through this design, I almost made a big mistake. I wanted to use a simple key-additive system: CT =

KeyStream xor PT;

// where the keystream is generated by a cryptographic function

The advantage of this approach is that I could store the combination of the game and keystream: GenericProtectedGame = KeyStream xor Game;

And then I would have added in a tattoo stream at the last moment for each player: ProtectedGame(i)

= GenericProtectedGame xor CTAT(i);

This would have been very fast and efficient from a performance and storage point of view. Unfortunately, it would have allowed an adversary to combine two ProtectedGames together to isolate the tattoo, just as fingerprint systems were attacked (see the sidebar entitled “Attacking Fingerprints and Watermarks” in Chapter 6). Instead, I had to change to the CTAK or CBC cryptographic modes to avoid this problem.

90

Protecting Games: A Security Handbook for Game Developers and Publishers

The reason you want the system to extend errors is that you do not want a third party who looks at the cipher streams from different consoles to be able to start isolating the covert tattoo. In general, there is little benefit to using a different key when sending the data to each individual console. The cryptographic modes described here can allow unique identification, even if the key is common for all users. If possible, it would be more efficient if the assets that are tattooed are at the end of the game file. This would allow the encryption of the front part of the file to be computed once and stored for all users. Then, the only portions of the game file that would need to be computed uniquely for each console would be in the tattooed region. It probably would be wise to change the key associated with a game regularly, but the risk of disclosure is more likely at the server than on the console. Thus, for each console (i) and game (g), the package sent to the client would be: ProtectedGame(i) = E[GAME xor CTAT(i),gkey]; // where gkey is the current key associated with that game.

The console and server will create or exchange the game’s key (gkey) via some public key or private key management protocol. On the console side, once the game has been completely downloaded and decrypted, the gkey will be deleted. At this point, the tattooed game file will be available at the console. There is a huge business advantage for consoles to allow players to purchase their own standard, commodity hard drives. Console makers make more money with less risk by focusing on the media that they want to distribute rather than on selling hard drives. In order to safely use a standard drive, however, the console needs to encrypt all data that is stored on the disk. There is no need for any other console or even the central server to know what key the console is using. This is nice from a production, operations, and key management perspective. (Exercise: propose a sensible way to handle console hardware failures that do not require the redistribution of all of the previously sent games.) Because the data is stored locally and encrypted with a unique key, the tattooed game file will be less vulnerable to hackers. Fortunately, consoles, and even many PCs that have a Trusted Platform Module (TPM), do have some internal secure storage. The key that is used to encrypt all of the keys for the various games will be stored in the TPM or encrypted in a unique key that is stored in the TPM. By using this process, if a game is found to be compromised, the game publisher can look at the game’s tattoo and use the tattoo to determine which console was the source of the game. The console maker can then determine which other games that had been sent to the compromised console are at risk. This does not recover the previously lost games, but it can help reconstitute the system as a whole.

Chapter 9 Other Strategies, Tactics, and Thoughts

91

Also, the publisher can implement a recovery strategy for other games that were distributed to that same compromised console.

R EFERENCES 1. M. Martin (2006), “Cause Mayhem to Disrupt Illegal Downloads, Says Introversion,” http://www.gamesindustry.biz/articles/cause-mayhem-to-disrupt-illegal-downloads-says-introversion 2. Wikipedia (2008), “MediaDefender,” http://en.wikipedia.org/wiki/MediaDefender 3. soulxtc (2007), “Gotcha! New MPAA Site Tries to Trick Users into Illegally Downloading Movies,” http://www.zeropaid.com/news/8877/Gotcha!+New+MPAA+Site+Tries+to+Trick+Users+into+Illegally +Downloading+Movies 4. R. Paul (2008), “Revision3 CEO: Blackout Caused by MediaDefender Attack,” http://arstechnica.com/news.ars/post/20080529-revision3-ceo-blackout-caused-by-mediadefenderattack.html 5. E. Gibson (2006), “Exit Games CEO Harald Behnke: Interview,” http://www.gamesindustry.biz/articles/exit-games-ceo-harald-behnke 6. Valve Software (2008), “Business,” http://www.valvesoftware.com/business/ 7. Polybren (2008), “Mass Effect, Spore DRM Loosened,” http://www.gamespot.com/news/show_blog_entry.php?topic_id=26385172&part=rss&subj=6190791 8. R. Purchese (2008), “250,000 Spore Creatures Created in a Day,” http://www.eurogamer.net/article.php?article_id=155360 9. HP and EA (2008),” Electronic Arts and HP Organize Regional Spore Creature Creator Design Competition,” http://h50025.www5.hp.com/ENP5/Public/Content.aspx?contentID=25116&portalID=375&pageID=1 10. Wikipedia (2008), “Battle.Net,” http://en.wikipedia.org/wiki/Battle.net

10

Anti-Piracy Bill of Rights

t the end of the day, treating your customers like criminals is bad business. Although piracy is a problem that should be taken seriously, the primary goal of any game company and the industry is to maximize revenues, not punish pirates. The industry does not need to disclose the details of its anti-piracy strategy to anyone, including consumers, but it is important that game companies are clear as to what they are doing to a customer’s computer and their expectations from their customers.

A

The entertainment industry, in general, and the game industry in particular, have come under fire for some of their anti-piracy tactics. Sony BMG’s Rootkit, the Recording Industry Association of America’s (RIAA) aggressive lawsuits, and the Starforce DRM problem among others have left consumers with an active distrust of the industry that has further encouraged piracy. Many games have had public relations problems with anti-piracy, including Bioshock, Spore, and Mass Effect, all of which have run afoul of their own antipiracy systems. Although most consumers are generally sympathetic to the industry’s concern about piracy, some of the draconian measures that have been taken have alienated many players and created more sympathy for pirates than game creators. Some of these cases can bite back. A crusading politician, or friend of a politician, who has a bad experience with a game’s security system could easily put forward, and even pass, legislation that would be difficult for the industry. Think it can’t happen? Illinois recently passed a law that specifies the requirements to be able to cancel an online game subscription after an unhappy gamer whose father happened to be a local alderman complained to a friend in the state legislature1.

92

Chapter 10 Anti-Piracy Bill of Rights

93

Although it would be ideal for an organization such as the ESRB to add Fair Use designations to their current product-labeling program, the game press and online review sites could include Fair Use Principles in their review criteria and ratings. Hopefully, publishers and developers will consider these guidelines when selecting and implementing their anti-piracy strategies. What follows is a proposed set of basic principles and designators for managing Fair Use for games (and other applications).

B ASIC F AIR U SE P RINCIPLES Computers, cell phones, and other devices are the property of consumers. It is a privilege to be selected by a consumer to be installed on a platform. Conversely, consumers should value and respect the rights of the creators and it is reasonable for a creator to be compensated for his or her work as he or she chooses. Therefore: 1. Any application that is installed on a consumer’s computer should be able to be cleanly uninstalled if for any reason the consumer no longer wants it on a platform. This means that there should be no residual software, drivers, data, or other information remaining on the platform as a default. Any variations from this should be clearly specified and at the discretion of the consumer. 2. No application shall alter other applications, drivers, libraries, or data on a platform. “Upgrades” or changes to other applications, drivers, and libraries should be clearly and individually indicated and approved during the installation process. Upgrades shall not be for the purpose of adding security or other functionality beyond that intended by the developer of those applications and should not impair the operation of other programs or libraries that may use these shared resources. Essentially, the only case where an application should modify another provider’s application is when it acts as an alternative distribution channel for that provider’s application. 3. No application, driver, library, or data will be installed on an application without the consent of the consumer. A clear and complete manifest of the applications, files, libraries, drivers, and data shall be provided to the consumer with the application process. Also, if any shared registry data, configuration information, or other such changes are made, they shall also be clearly indicated in the installation manifest as well as a listing or copy of the previous state of these configuration files, data structures, and so on.

94

Protecting Games: A Security Handbook for Game Developers and Publishers

4. No applications, libraries, or drivers shall operate when the provided game or application is not running. The consumer is the individual who determines when, or if, the application operates. The expectation is that this will be a manual decision by the consumer, not operating as a continuous or background task, unless clearly and affirmatively agreed to by the consumer. Any tools to facilitate updates or other background features shall be available and used solely at the discretion of the consumer. The consumer shall have the clear ability to disable any continuously operating or background services or applications at any time. 5. If the license or DRM service shuts down, the provider will either disable the DRM solution, transition support of its existing customers to a third party, or provide a no-cost migration path to a new solution. This problem recently came to light with Yahoo!’s announced termination of its music service.

R EGISTRATION O PTIONS Registration is the process of validating an installation of an application on a specific platform, often prior to use. This may be done via a license key, payment process, provision of personal information, or other process. RR: Registration Required—The application will not work without initial reg-

istration. It is highly recommended that any application that requires initial registration support a multitude of registration options, including phone, email, web form, and fax, and not just direct Internet connection. (See the “Connection Options” section.) Rxx (D or T)—Registration required within xx days (D) or times (T) that the application is used. V: Registration Value—Registration is required to access value-added services.

The application is still a meaningful, complete application without registration, not a demonstration or otherwise crippled product. RO: Registration Optional—There is no required registration for the installa-

tion and operation of the application. This may also include the case where there is no registration process at all.

Chapter 10 Anti-Piracy Bill of Rights

95

I NSTALLATION O PTIONS Installation is the process of installing and configuring an application on a given platform. I1—The installation is for a single instantiation on a single platform. It is highly recommended that any application that operates in this mode have a way to reconstitute or move the installation to another platform. This configuration is expensive in terms of customer good will. A1—This installation allows a single active copy associated with a license. The

installation can be moved or reinstalled on another platform. As with I1, the developer or publisher should carefully consider the operational scenarios where users may have legitimate problems with their platform that may require a reinstallation or transfer without a prior clean uninstall process. Ix—The installation is for a total of x copies spread over one or more platforms,

but by a single licensee. Ax—The installation is for a total of x concurrent active copies associated with a single licensee. The licensee is responsible for the activities of all individuals who use the product or service provided. Thus, if a “ban” or other punitive action is taken, it will be against all of the copies associated with that license.

C ONNECTION O PTIONS CR: Connection Required—The application requires a live Internet or data connection to operate. This levies a strong availability and scalability requirement on the application provider. It also constrains users from many legitimate usage scenarios. Cx (D or T)—Connection is required within x days or sessions to maintain use of an application. CV: Connection Value—A connection is required for certain value-added features of the application. The application is still a meaningful, complete application without a live connection, not a demonstration or otherwise crippled product. CO: Connection Optional—There is no required connection for the installation and operation of the application. This may also include the case where there is no connection process at all.

96

Protecting Games: A Security Handbook for Game Developers and Publishers

I am not the only one concerned about this issue; see Talkjack3 for another DRM Bill of Rights via ByteShield 4 and Stardock’s Gamer’s Bill of Rights5.

R EFERENCES 1. M. Fahey (2008), “Illinois Law Spurred by Final Fantasy XI Cancellation Issues,” http://kotaku.com/5032004/illinois-law-spurred-by-final-fantasy-xi-cancellation-issues 2. D. Rothman (2008), “Why We Hate DRM: Yahoo Music Store to Shut Down and Shaft Customers Who Bought Legal Music,” http://www.teleread.org/blog/2008/07/25/why-we-hate-drm-yahoo-musicstore-to-shut-down-and-shaft-customers-who-bought-legal-music/ 3. Talkjack (2008), “Is DRM Killing PC Games? (Part 1),” http://talkjack.wordpress.com/2008/06/22/is-drm-killing-pc-games-part-1/ 4. ByteShield (2008), “Is Anti-Piracy/DRM the Cure or the Disease for PC Games?,” http://www.byteshield.net/byteshield_whitepaper_0005.pdf 5. Stardock (2008), “Stardock Announces The Gamer’s Bill of Rights,” http://www.stardock.com/about/newsitem.asp?id=1095

11

The Piracy Tipping Point

n the past several years, piracy has moved from a nagging nuisance to being perceived as a real threat to the entertainment industries. The power of the music, film, and game publishers has been based on their control of distribution, marketing, and funding for new creative works. The Internet has radically reduced the costs for distributing and marketing entertainment. It is now possible for independent entertainment creators to compete with global corporations. Even more threatening, piracy no longer requires expending any real capital. Piracy no longer requires organized gangs who need factories and tools. Individuals can engage in piracy for their personal benefit. The extreme view, taken by the RIAA and some members of the film and game industries, is to target individual consumer “pirates” as if they were major criminals1. In the US, the entertainment industry’s lobbying efforts appear to have succeeded in pushing the government to take a lead role in both civil and criminal prosecutions of copyright theft cases2. Although this may succeed in the short term, it is too easy for pirates to move beyond the reach of prosecutors3.

I

D ETERMINING

THE

G OAL

OF

A NTI -P IRACY P OLICIES

The real question that entertainment companies need to answer is whether they are seeking to maximize revenues and profits or seeking to stop copyright theft. The two questions lead to quite different strategies. Is it really possible to stop copyright theft? The honest answer has to be no. No Digital Rights Management scheme or Trusted Platform Module or any other wonderful widget is going to “solve” copyright theft 4. Anyone who tells you different is simply trying to sell you a product. (Simple question: Will any anti-piracy vendor guarantee its product against failure?) At the end of the day, do you want to be a policeman or a businessman?

97

98

Protecting Games: A Security Handbook for Game Developers and Publishers

The real power of large entertainment publishers comes from their portfolio of products and tie-ins to each product. Instead of worrying about fighting pirates on a product-by-product basis, large companies can enmesh customers in an “entertainment ecosystem.” This is not a new idea. Disney pioneered licensing its characters for everything from lunch boxes to wristwatches and bed sheets5. The same Internet that makes it almost trivial to pirate media also makes it much easier to link products and services together. Whether it is something as simple as a loyalty card or as elaborate as an online community, there are many, many “carrots” that can be used to draw customers into the legitimate, paying entertainment ecosystem compared to the DRM and TPM “sticks.” They may still require security technologies, but the goal is to transform the hard problem of stopping copyright theft into the easier mission to verify and service legitimate customers. The game industry has recently and loudly joined the music and movie industries in the fight against piracy. Yet, of all of the major entertainment categories, the game industry is probably the best positioned to finesse the piracy problem. The early battles with piracy in Asia have resulted in the move to online subscription, and now free-to-play gaming. Although these solutions are far from perfect, they make piracy manageable. They raise the barrier to entry for meaningful abuse, provide continual incentives to participate in the legitimate game system, and make it much easier to take action against a much smaller pool of pirates… if anything, the music and movie industry should learn from the game industry, not the other way around. As a business, entertainment is amazing because it scales so well. A threeminute song or a game can entertain millions and millions of people. iTunes has shown that 99 cents is a great price for a song. The games Rock Band and Guitar Hero are showing that you can take this same song, wrap it into a game for modest cost, and sell the song again… and with substantially reduced concerns about piracy6. Reducing barriers to entry is key. iTunes made digital music good (enough), cheap (enough), and easy (enough). Game developers and publishers need to make similar assessments. If charging $50 creates a barrier to entry, perhaps changing the price or the way games are built to be able to charge $20 is necessary. Games are still substantially less expensive to create than movies, yet they cost several times as much to buy. Developers may want to consider episodic gaming as a way to reduce the in-store cost of a title. Rather than sell the whole game for $50 in a store, simply distribute the first $10 or $20 physically and sell the rest online to already hooked customers. This could battle the appeal of used games, the poor margins in retail, and the challenges of piracy all at once.

Chapter 11 The Piracy Tipping Point

99

Games are released at very different prices at very different times around the world because of the costs of localization and other issues. Ubisoft recently made a move to add subtitles to all of its internally developed games to make its titles more accessible to deaf players7. Simple subtitles, combined with digital distribution, could make it easier and quicker to release games globally simultaneously, just as movies do, to reduce the value of piracy for customers in many countries 8. “Piracy” is a trap. It reduces a whole range of problems, challenges, and issues into a single word. It invites one to believe that there is a simple solution. As you unpeel piracy into its components, you’ll find a number of problems and a range of solutions. Some may require you to change the way you do business, some have technical fixes, and some problems are simply hard. Albert Einstein stated9 that the definition of insanity was “doing the same thing over and over again and expecting different results.” By that standard, we should reconsider the industry’s approach to the piracy problem and do something different.

R EFERENCES 1. C. Dring (2008), “Law Firms Declare War on Pirates,” http://www.mcvuk.com/news/31730/Law-firms-declare-war-on-pirates 2. A. Broache (2008), “House OKs Copyright Czar, New Piracy Penalties,” http://news.cnet.com/8301-10784_3-9939265-7.html 3. C. Doctorow (2007), “Trade Court Allows Antigua to Violate U.S. Copyright,” http://www.boingboing.net/2007/12/22/trade-court-allows-a.html 4. M. Androvich (2008), “Encryption Chip Will End Piracy, Open Markets, Says Bushnell,” http://www.gamesindustry.biz/articles/encryption-chip-will-end-piracy-open-markets-says-bushnell 5. E. Epstein (2005), The Big Picture: The New Logic of Money and Power in Hollywood, Random House, ISBN 0-8129-7382-8 6. T. Johnson (2008), “Ripping on Metallica: Death Magnetic and Guitar Hero III,” http://www.nationalledger.com/artman/publish/article_272622686.shtml 7. J. Snow (2008), “Ubisoft Adds Subtitles to All Future Games,” http://blog.wired.com/games/2008/09/ubisoft-will-in.html 8. X. Jardin (2005), “Thinking Outside the Box Office,” http://www.wired.com/wired/archive/13.12/soderbergh.html 9. A. Einstein (attributed), “Albert Einstein Quotes,” http://www.brainyquote.com/quotes/quotes/a/alberteins133991.html

This page intentionally left blank

Part

III

Cheating

In this part, you’ll find the following topics: Chapter 12, “Overview of Cheating” Chapter 13, “Cheating 101” Chapter 14, “App Attacks: State, Data, Asset, and Code Vulnerabilities and Countermeasures” Chapter 15, “Bots and Player Aids” Chapter 16, “Network Attacks: Timing Attacks, Standbying, Bridging, and Race Conditions” Chapter 17, “Game Design and Security” Chapter 18, “Case Study: High-Score Security”

101

12

Overview of Cheating

heating and games go hand-in-hand. It seems every game has its cheaters. This discussion of cheating mainly focuses on cheating in multi-player games. In traditional card and board games, the game’s mechanics and game play systems are clearly visible. This makes it easy for cheaters to see how to attack the games and forces game designers to consider cheating as the game is built. Computer games, on the other hand, have mechanics that are concealed by their elaborate graphics and high-speed play. They also have a strong, single-player legacy (often from standalone PC and console games) where cheating was hardly considered; cheating was a private affair between the player and herself. There are also cases where people trade on the seduction of “cheating” as a marketing tactic such as with cheat codes and Diablo 2’s Cheaters’ Tournament where players all play with maximized statistics. This is not really cheating; it is just an alternate set of rules of play. This part will explore a wide range of categories of cheats for computer games and discuss potential countermeasures.

C

Cheating is the next big frontier for computer game security. Multi-player and social games blend business, marketing, and anti-piracy strategies for many game companies. Multi-player, online, and social game services reduce distribution costs, ideally by bypassing retail, but certainly through sale of downloadable content and virtual items. The rich interaction system (RIS) strategy (see Chapter 9) is a powerful anti-piracy strategy because it ties players to the game publisher’s online service. Cheating problems undermine the very same business and security benefits that these strategies provide. Gaming services, such as MMOs and portals, need to acquire and retain players and keep their operational costs down—all of which are adversely affected by cheating. Finally, there is substantial growth in “for money” games. The success of promotional games, tournaments, and contests, and, of course, skill games and gambling games, is intimately tied to their control of cheating. Even the humble single-player game, after a high score system is added, counts on controlling cheating to achieve its social gaming success. Who wants to play when you know the high scores are rigged?

102

13

Cheating 101

heating is as old as gaming. When we shuffle and cut a deck of cards or use a dice cup, we are continuing the age-old battle against cheaters. Although the primary security concern of computer game companies is piracy, the number one concern for players is cheating. No matter what motivates a player to play a game, cheaters damage the game experience for everyone. The oldest commercial game companies, the casinos, recognize this and structure everything in their operation to instill confidence in their customers that there is no cheating.

C

C HEATING

AND THE

G AME I NDUSTRY

For a long time, the computer game industry has consciously traded on the seduction of cheating by incorporating “cheat codes” into their games. They sell “strategy guides” that give their users what some consider an unfair advantage in the games by disclosing details and tactics that a player would have great difficulty discovering through ordinary game play. They even have gone so far as to sell cheats to players1. There are several ways to interpret these cheats: Cynical attempts to cash in on player laziness Methods to make up for poor game design Bugs in game implementation Because these were single-player games, there were no consequences for the industry. This has, to some extent, created a “cheating culture” where players think cheating is okay.

103

104

Protecting Games: A Security Handbook for Game Developers and Publishers

However, as games turn into services and multi-player and online games become the dominant business model, the cheating culture remains. The problem is that no one wants to play a game where they perceive that they are at an unfair disadvantage. See Figure 13.1. When I first started talking about game security, I heard story after story about how players would work hard to cheat at any game with no real reward. They will cheat at anything from a simple Flash game on a website to earn a high score to hack a first person shooter to gain invulnerability. Do a Google search for “cheat” and you’ll get almost 80 million results (by comparison, “Angelina Jolie” returned a mere 35 million results). And at the top of those results are cheats for computer games. Search on “cheat code” and you’ll find 3.5 million results. Again, the top results are all for computer games. Cheating in games is a topic of compelling interest for many game players; everyone wants an advantage. If you create a good game that has value, someone else will try to squeeze it… Hacking we’ve found is like a drug. It’s addictive for the player, and they have a difficult time enjoying the game without the hack tools... A lot of players are turned off by it. [Hackers] turn away new and existing users, increase account theft rate, shorten life span of a user, create [an] abusive community [environment,] and discourage purchasing. [Hacking is] an epidemic we’d been ignoring in Korea. We realized it’s not just a US thing, and we developed detection tools and did mass bans…we moved the critical values to server side and implemented third party solutions. —Min Kim, Director of Game Operations at Nexon America on Cheating2

FIGURE 13.1 Why cheating matters

Chapter 13 Cheating 101

105

Cheating is costly. Players leave a game when they feel cheated. Players call customer service when they believe that they are cheated—whether they are actually cheated or not. Cheating players are often punished by being banned, but this deprives the game operator of further revenue from that individual. Lost players, banned cheaters, and increased customer support all cost a game operator money. Even worse, cheating is a problem whether it is real or just player perception. If players think that they are being cheated, they may quit even if there is no actual cheating. The same powerful network effects that bring players together for multi-player games, MMOs, and virtual worlds can rapidly turn from rapid growth to stagnation and even collapse if players feel that they are being cheated. Anything that even slightly reduces the likelihood a player will join a social network or reduces the duration that they stay can have large consequences. Exponential growth is very sensitive to small changes in its inputs. The key to success for social and multiplayer games is the perception of trust for all players and credible deterrence for potential cheaters. Often executives and thought-leaders in the computer game industry talk about becoming “like the movie industry.” In some sense, the computer game industry is becoming much more like its closer (and much larger) cousin, the gambling industry. The movie industry sells tickets and DVD products; the casino industry sells an ongoing entertainment service. This is where the game industry really seems to be moving. As this migration continues, the game publishers and developers will change their focus from battling piracy to fighting cheating.

F AIR P LAY Once we start talking about cheating, we need to ask—what is a “fair” game. First, there is the question: Is the game itself “fair”? A game is fair if it has an agreed-upon set of rules known by all of its participants and an expectation that those rules can be reasonably enforced. By this standard, casino games, even if they are biased towards the casino, are fair. The rules are known. Conversely, an MMO may not be “fair” if it is ripe for abuse: The often-cited example of real-money transactions (RMT) is not in and of itself unfair. RMT, or any other aspect of game play, become unfair only if it is not an explicit part of the game or a part of the culture of the game that is shared by all players. Collusion in poker is unfair only because it is not part of the game’s culture. One could easily imagine an alternate version of poker where players set up partnerships and agree to share winnings. The card game bridge works this way.

106

Protecting Games: A Security Handbook for Game Developers and Publishers

Second, what is “fair play”? Fair play includes the game’s rules, the game’s environment (the way it is being operated), and the game’s culture. It is certainly plausible to have a computer game that explicitly supports a “hacker culture,” where programming hacks and mods, aimbots, and wallhacks (and maybe even hack countermeasures) are all part of the game. Responsibility for fairness rests with everyone—the game designer, its operator and implementer, and its players. Game designers should consider cheating and other threats to the game in its basic design. Game operators and implementers need to protect the game play environment and ensure that the specific service they are offering cannot be abused. Players, too, have a responsibility to the other players to stay within the construct of the game, even if its implementation is flawed or the rules are incomplete. In a board game, a player has a copy of the rules. The lack of clear, written rules for many computer games makes cheating easier: You’re not “cheating,” you’re exploiting the code. A successful game will cultivate an environment of mutual trust and obligation to play together fairly. Perhaps the saddest legacy of single-player computer games is that lazy programming and poor game design have made cheating acceptable or even admirable. Even worse, players now expect to find “cheat codes,” and game companies and magazines profit from the sale of these codes and guides. Is it bad game design that makes it necessary to purchase a $25 strategy guide in addition to a $50 game, or just greed? What is clear is that now that multi-player and massively multi-player games are emergent, the sudden objections by the game industry to cheating sometimes seem a bit disingenuous.

C HEAT C ODES Cheat codes seem to be an accident of history. Testing software requires exercising all of its features and failure paths. For a game, this means spending a huge amount of time testing the application, and it is terribly inconvenient to have to start over the game from the beginning or require your testers to all be expert players for them to be able to do their jobs. The rather simple solution is to allow the game to be changed so that even a minimally competent game player can thoroughly test the application. Cheat codes were simply efficient triggers to access these test modes. Cheat codes can give invulnerability, infinite ammunition or lives, allow players to fly and jump around the game—whatever it takes for testing.

Chapter 13 Cheating 101

107

Most of the time, test code is removed from a game or application prior to its release. Security is one reason, but some of these test codes can also undermine the proper operation of the application. Unfortunately, this didn’t happen with some early games. Players discovered these “cheat codes” and became fascinated with finding them. Players would sometimes even pay for these codes, and cheat codes have become part of the marketing machinery of the computer game industry. Cheat codes are a currency used by public relations and marketing to reward magazines, reviewers, and websites, as the codes can bring in more traffic, advertising, and revenue for the publications. There are two real problems with cheat codes. The first is a missed business opportunity. These codes are rarely fully integrated into the game’s design and interface. In some sense, the cheat codes provide a wide range alternate modes of game play that should be easily accessible to all players. These alternate modes should include all of the features that you would expect from a game mode: an infinite life mode should have a separate high score, rewards, and other incentive systems distinct from playing without that feature. Game designers can tap these alternative game play options to efficiently expand the game experience for a wider range of players. I, for one, rarely buy first person shooters (FPS) because my “twitch” skills are pretty pathetic. If FPS games included well thought-out game modes that were more accommodating of slow folk like me, they might make some additional sales. The more dangerous problem with these cheat codes is that in many cases the game itself really doesn’t know that a cheat code is active. For single-player games, this is not really a problem. In fact, from a strict software testing perspective, it is better that the game doesn’t “know” that it is running in a cheat mode. For a multiplayer game, however, this situation leads to trouble. Players have been able to use some of these single-player cheat codes in multi-player environments in a way that

HARDWARE HACKS: R4 AND GAMESHARK From their early days, some cheaters have targeted game hardware—the console itself or its various inputs and storage interfaces. These hardware hacks can modify game save files and, in some cases, allow active modification of a game while it is running. The R4 product that targets Nintendo’s DS handheld and, to some extent, Mad Katz’s GameShark both subvert the console’s external storage systems. Some of these tools can even bypass the entire console operating system and give the hacker total control over the behavior of the platform. This can be done to give players an advantage in the game or as a method to pirate games. These devices have mainly had an impact on single-player games. However, they could cause real trouble as console multi-player gaming grows.

108

Protecting Games: A Security Handbook for Game Developers and Publishers

is not detectable by the other players. These kinds of careless cheat code implementations can allow a player to play a multi-player game at a huge advantage and ruin the game for the other players. Sloppy labeling of cheat code modes and poor management of state information in multi-player environments aggravates these problems. In an ideal world, the entire language and use of cheat codes would be abandoned. All of these additional game play modes would become part of the game play experience and listed on the back of a game’s box, just like other features. Only real cheaters would look for “cheat codes”… except they wouldn’t be able find them. Is it too much to ask those clever folks in marketing to find some other way to grab the interest of players, magazines, and websites besides advocating “cheating”?

EXPLOITS There is some confusion about the definitions of cheating, hacking, and exploits. In some sense, I am not really interested in clarifying the issue. For purposes of this book, cheating is an attack on a game application. I don’t care if it is based on some tool-aided assault or a quirk in the interface or game engine or some combination thereof. My categories have been based on how game developers and publishers typically perceive problems and their countermeasures. It is worth highlighting exploits, however. Exploits are flaws in the game as implemented that give a player an advantage. For example, the set of fantasy pub games for Fable 2 have a race condition flaw (a situation where the player can induce an inconsistency in the game’s behavior) that gives them a huge advantage. The Fable 2 pub games are a set of casino-style games where players can bet and win or lose chips. In one game, a player can “change her bet” from 60 gold to 600 gold (and win as if she bet 600 gold), but only be penalized for losing as if she bet 60 gold 3. There are innumerable variations on this problem. Basically, the game programmer and game designer are not implementing the same game design or the game programmer has not been sufficiently careful in controlling changes to the game’s behavior. All games have some sort of state (the current status, location, and other information about players, assets, time, and so on) and rules (the way that players can alter the game’s state and when they can take these actions). Race conditions are actions that alter the game’s state in a way that should not be allowed under the rules. One way the Fable 2 problem could occur is that there are two different systems: a player account system and a game system. The player’s account is checked when the initial bet is made and this is sent to the game and debited from the player account. But subsequent changes to the bet are not checked against the player account; they are only changed in the game itself. Then, if the player wins, the game sends the gold back to the player account.

Chapter 13 Cheating 101

109

Race conditions are associated with most “dupe” exploits (where players abuse the inventory system or other game mechanics to duplicate items). A sample “dupe” exploit could work as follows: 1. Player 1 drops an item out of her inventory and it is added to the local game environment. 2. Player 1 abandons the game before her inventory is updated. 3. Player 2 picks up an item from the local game environment and it is added to her inventory. The item has now been duplicated. The “dupe” attack works because the three data stores do not properly synchronize with each other. The key is that games are essentially transactional systems and need to be built as such. A proper transactional system would not allow the player to drop the item without updating the inventory: Either the item would be dropped and the inventory updated or nothing would happen at all. These problems can be even worse in online games when developers choose not to use standard databases or do not understand proper data transactions or are just not careful. Another major exploit area occurs when game developers use graphics engines to enforce game play. Graphics engines are optimized to smoothly render graphics and animation. Smooth playback is the most important requirement for most graphics engines, not careful enforcement of physics features such as collision detection or pathfinding. This can create a number of problems: Many games use the graphics engine’s model of the game environment to determine legal moves, visibility, and position. Exploits take advantage of conflicts between a game’s need for accuracy and a graphics engine’s goal of smooth rendering. Exploits can even exist in paper-and-pencil games. I used to play the super hero role-playing game Champions in high school. I was one of several people who found an exploit in the game’s mechanics that allowed me to deliver 20 times the damage of other players. Exploits are the responsibility of the game developers. They really aren’t “cheats,” because they do not require any modification of the game’s software or data nor can they be effectively addressed by anti-cheat tools. Basically, they require corrections to the game’s design and implementation. Clear documentation of general game rules and procedures should help reduce exploits and make them obvious flaws when they occur. The Age of Conan had an exploit that allowed customers playing the Demonologist class to advance extraordinarily quickly through the game4. For online games, detailed logging can be critical in locating exploits by tracking their consequences. Also, given the scope of the games, it is probably good to reward players who find exploits—after all, they are paying you for the privilege of testing your software. (Note: When a player reports an exploit, it is probably also worth reviewing their game play logs to see if they had some fun taking advantage of the exploit for a while.)

110

Protecting Games: A Security Handbook for Game Developers and Publishers

T HE CARRDS R EFERENCE M ODEL In order to continue this discussion about cheating, it is important to have a framework for talking about how games are built. CARRDS is a conceptual framework for talking about games and game security, and is illustrated in Figure 13.2. The advantage of the CARRDS framework is that it allows you to focus on the common elements of computer games that can affect security. Control—The keyboard, mouse, joystick, controller, Nintendo Wiimote, voice, biofeedback, or whatever raw means a player uses to interact with a game. Action—The normalized control that the game rules understand activities such as go left, fire, strafe, jump, turn right 30 degrees, fly NNW 1 hundred meters, and so on. Rules—The actual rules of the game. Random—Random events sit in the nebulous intersection of actions (players rolling dice to determine their move choices), rules (determining the result of an attack), and state (a player’s cards). Random events raise some interesting problems in a networked environment, as there are real questions as to how to provide fair random online. Display—The presentation provided to a player of the game’s state. (Note: There can certainly be multiple views of the game’s state.) State—The current state of the game, or, in a multi-player game, the partial state known to a single player.

FIGURE 13.2 CARRDS game architecture

Chapter 13 Cheating 101

111

T HE R EMOTE D ATA P ROBLEM In 2000, Matt Pritchard published one of the first significant papers on multi-player game security. In it, he set the basic categories of attacks—data and network—and began the discussion about one of game security’s most trying problems—trusted clients5. The “Trusted Client Problem” is seen in many games to this day. The Trusted Client Problem was targeted at client-server games and can be generalized and restated as “The Remote Data Problem,” as follows: Games tend to trust the state or information provided by other players. This approach seems works fine, most of the time, and is very easy to implement by using data synchronization techniques. Data synchronization is very good at handling cases where the players’ games’ states become slightly inconsistent. Unfortunately, the system falls apart when one of the players is cheating. Because the remote data is trusted, the peer player or game server tends to blindly accept information that is manipulated on the cheating player’s platform or on the network connection. If cheaters can force others to accept whatever data they want, they can change the game however they want—anything from giving themselves more ammunition and health, to changing their location, or entirely altering the game environment. It is also worth noting that in a number of game environments, there is a concern with cheating by the server. Gambling games and contests are obvious examples where players don’t trust the game server. Simple multi-player games that use player-run servers, like many first person shooters (FPS) and even MMOs, can have situations where players are suspicious of the server operator. The FPS Battlefield 2 ended ranked games on third-party servers because of this problem 6— a costly decision, as its publisher, EA, had to operate all of its ranked servers itself. STATE-BASED NETWORKING The simplest way to implement a networked game is to use a distributed state (or object) application that synchronizes the game state, as illustrated in Figure 13.3. This is very tempting. It is easy, fast, and the developer doesn’t have to think about the multi-player design. Essentially, the multi-player game is implemented as a series of parallel single-player games and the distributed state tool “smoothes out” the differences between each player’s version of the game.

112

Protecting Games: A Security Handbook for Game Developers and Publishers

FIGURE 13.3 State-based networking

There are several basic synchronization models that can be used by a distributed state system. At a minimum, players exchange state information (Sx), but they may also exchange time information (Tx): Newest Wins—In this synchronization scheme, the players exchange both state and time information. The one individual that has the latest timestamp determines which state is authoritative. For any of these systems, there is an interesting challenge associated with synchronizing time, particularly when faced with lag over a wide area network. Somehow, all of the participants have to start at the same time. Time itself can be spoofed by malicious players who alter their own local time to be much later than that of the other players, distorting the results of any application that uses this synchronization model by always forcing the other players to use the cheater’s state and time information. if (Ti > Tr) then (Si = Si, Ti = Ti); // for the case where the internal player (i) has // a newer timestamp than the remote player (r), the // internal player state and time is used. else if (Ti
Chapter 13 Cheating 101

113

// for the case where the internal players (i) has // an older timestamp than the remote player (r), the // remote player’s state and time is used. // there is an interesting question as to what to do if // the timestamps are identical. It is likely that many // developers would stick with local state, although there // is a reasonable argument that if the states are different // and the timestamps the same, there is a problem.

Average—The players average both the time and state information that they receive from each other. There are various weighting schemes that can be used to bias data based on how recent the information is both according to its timestamp and the actual, local time. It is quite possible for a cheater to abuse these systems by providing data that is far outside the ordinary behavior of a legitimate player (altering state information to be very different will cause its value to dominate the information from the other players—that is, if the cheater is only supposed to have 100 hit points, setting her own hit points to 100,000 will result in an average of (100,000+100)/2, or 50,050 hit points. Ti = AVERAGE{Tx}; // where {Tx} is the time for each player Si = AVERAGE{Sx}; // where {Sx} is the state for each player

Vote—Players use a voting scheme to determine the local time and state. These systems can also use a weighting scheme. One of the security measures used with these types of systems is to throw out outlying results (if there are multiple players). Collusion can be a problem for both vote-based and averaging systems. An important consideration for voting systems is that there is reasonably good time synchronization between the players. In order to have workable votes, all players need to participate with a vote for a given game “tick.” Ti = VOTE{Tx}; // where {Tx} is the time for each player Si = VOTE(Sx); // where {Sx} is the state for each player

Internal Authoritative—In this type of scheme, players “trust” themselves more than other players for data about themselves. The different portions of the game state are updated based upon what the data is and who is doing the updating. “Neutral” state and time data (information not associated with a specific player) is updated using an averaging or voting scheme:

114

Protecting Games: A Security Handbook for Game Developers and Publishers

// In general, a player’s game state is the state of // the player’s own information, such as her own status, // (internalPS) and the other players view of their own status. GameState(playerx) = {externalPS1, externalPS2, …,internalPSx, …,externalPSn); // the game state for each player x uses the state // information from each other player for that player’s // state and her own data for herself. // for example Game(player1) = (internalPS1, externalPS2); // Player 1’s view of the game state with player 2 // providing the state updates for player 2 and player 1 // providing the updates for player 1. Game(player2) = (externalPS1,internalPS2); // Player 2’s view of the game state.

External Authoritative—One of the ways to address cheating is to trust “the other guy.” In this model, the player trusts herself for data on everyone but herself. If there are more than two players, the player’s internal state and time is based on an average or voting scheme of the external players: // In general, a player’s game state is the state of the // other players’ view of their information (externalPS). GameState(playerx) = {internalPS1,internalPS2, …,externalPSx, …,internalPSn); // the game state for each player x uses the state information from the // external players for her state and uses her view for their state. // for example Game(player1) = (externalPS1,internalPS2); // Player 1’s view of the game state with player 2 providing the // state updates for player 1 and player 1 providing the updates for // player 2. Game(player2) = (internalPS1, externalPS2); // Player 2’s view of the game state.

Chapter 13 Cheating 101

115

All real-time network game schemes share one challenge: handling the synchronization between the game’s actual local state and its displayed state. This is a concern when games are played over a network because the network lag can introduce discrepancies in time in addition to any differences in time because of clock differences in each player’s game platform. In general, developers have two competing goals: a smooth presentation and an accurate reflection of the actual game state. The danger of erring too far on the side of smoothness is that important, current state information that could affect game play is not available to the player’s display. Also, player control inputs may not accurately reflect the game actions that they intended because the display state that they see and are reacting to is not the actual, local game state. Another common challenge for networking systems is how to handle scenarios where one player gets out of synchronization with the other players. It is very common to defer to the out-of-synch user to keep the displayed game smooth for that player. This choice leads to many of the more obvious attacks against multi-player games. In these “standbying” and “bridging” attacks, players intentionally break their connection to push the system from its regular operation into its “synch recovery” mode. These attacks are very simple to implement by simply installing a switch that physically disconnects the game computer or console from the network.

HIDDEN STATE AND PARTIAL INFORMATION Many games have asymmetric information: There is state information that is known to some, but not all, players. Players have partial information about the global game state. The most familiar example is card games. Players are dealt cards face down that are not known to the other players. A well-formed game has the characteristic that when a player sees an action from another player, this player can determine if the action is consistent with the game’s rules and its current state, even if she cannot determine exactly that that the action is legal. Once again with card games, when a player privately passes a card to another player, the receiving player can validate that cards that were passed are not cards that the receiving player knows could not come from that source, even if she cannot validate that the sending player legally had those cards. Hidden information can be verified only after the game is over (or when the hidden information no longer has an impact on the game—such as when all players are dealt a new hand in cards). Although real-time verification of fair play is ideal, because games include partial information, retrospective verification is sometimes the only option available.

116

Protecting Games: A Security Handbook for Game Developers and Publishers

In general, the problem with state-based networking is that: Games are distributed transaction systems, not distributed state systems. The rules are the key. As you can see from Figure 13.3, if a game uses statebased synchronization, cheating is very easy because the game’s multi-player system exists independently of and underneath the game rules. The incoming state from a remote player is implicitly trusted by the very nature of the communication system: The game’s rules are not part of the state synchronization process. Even if the communication path itself is encrypted, a malicious player can use a tool like Cheat Engine to manipulate her local game state and trust in the distributed state system to push the corrupted data to the other players, and it is even easier if she can get to the cleartext messages. In general, it is better to disrupt the game experience for the out-of-synch user and defer to the server or majority of users. In games where synchronization is critical, the game should roll back to the last shared “good state.” As we go down this rabbit hole, we do realize that a malicious player could attempt to attack the “last good state” system; therefore this also needs to be designed to be secure. In order to protect against attacks on the “last good state,” the players should immediately confirm that they’ve received a version of the game’s state with the other players as they move forward so that everyone knows the current “last good state” before one of them can exploit this. One of the protocols, Strobe, from our anti-cheating software, SecurePlay, is actually designed to provide a secure synchronization process for peer-to-peer or less trusted client-server systems: It delivers a “secure tick” to stop several attacks on time in games. CLIENT/AUTHORITATIVE SERVER NETWORKING The other standard approach to multi-player gaming is to implement a clientserver design with the server being trusted by all of the players, as illustrated in Figure 13.4. Trusting the server is secure—at least as long as you and your players both trust the server (see the section, “Security, Trust, and Server Architectures,” later in this chapter, for further discussion of trust and server architectures). Control or actions are sent to a central server for processing. The server then returns state updates to the client. The archetype of this approach is a MUD where players enter raw telnet text and send it to the server which in turn returns new state information. It is technically possible to implement a multi-player game solely via exchange of control information. The main limitation of this approach is that there are often substantial differences between computers in their raw control data (for example, encoding of characters, line termination, resolution and mapping of mouse position information,

Chapter 13 Cheating 101

117

FIGURE 13.4 Client with authoritative server networking

and so on). Also, different game players may want to use different types of control input devices (mice, keyboard, trackballs, and D-pad controllers) with different formats and content for the raw data provided by each. It is unnecessarily burdensome to force the game to understand all of the different valid control systems. The main problem with the authoritative server model comes from cheating by developers. The “cheat” I am talking about is that too often developers wind up implementing state and rules on the client-side and using a state synchronization approach to update the server. This is often done for legitimate performance reasons, but leads right back to the “trusted remote date” scenario that you thought you had escaped by using this networking strategy. ACTION-BASED NETWORKING The remaining choice for multi-player gaming is to exchange actions instead of state or control information over the network. Action-based game play networking (see Figure 13.5) has a lot of advantages. Game actions are almost always bandwidth efficient, as they reflect player choices that are limited by the inherent abstraction of all games. Architecturally, a nice aspect of action-based networking is that it can operate in either a client-server or peer-to-peer network, leaving more flexibility for game developers.

118

Protecting Games: A Security Handbook for Game Developers and Publishers

FIGURE 13.5 Action-based networking

Actions are selected prior to the invocation of a game’s rules. This has a substantial security advantage, as the pre-existing rules validation and processing system become part of the networked game’s security system. Control-based clientserver networking has some of the advantages of this approach, as control information is converted into actions at the server (where they are validated); however, state information is passed down to the player client where it is accepted without verification. By exchanging action information with remote players or servers, the game’s own rules can be used to protect against cheating. Also, the architecture is nicely independent of the location of the player or the game’s underlying communications (local or remote, client or server or peer), making testing easier by allowing the game rules to be fully tested through its API. Logging and replay features are also easy to add when using action-based network, as are metrics and tracking for performance monitoring and debugging. It is fairly easy to see why action-based networking is secure by looking at playby-mail chess. In chess, a player sends his moves to the other player. The receiving player: 1. Receives the incoming action. 2. Determines whose turn it is (can any action occur now from the specified player?). 3. Looks at the board and determines if the piece is available to move. 4. Determines if the move is legal (can the player take the specified action?). 5. Moves the piece.

Chapter 13 Cheating 101

119

In state-based networking, chess would be played by sending a new chess board or by sending the moved piece’s new position (along with any removal of an opponent’s piece). The receiver has a much more difficult time determining if the move is valid because she basically has to reconstruct the move or look at a list of all available moves and see if the selected one is included. For a computer game with more complicated actions and multiple active players or “pieces,” this problem rapidly becomes intractable. Formally, there are two basic types of action-based networking messages: PlayerID,Action + Parameters, ActionInitiationTime;

and PlayerID,OldGameState,Action + Parameters, ActionInitiationTime;

Under action-based networking, the model is essentially the same as for chess: 1. Receive the incoming action from a player (local or remote). 2. Determine if the player can take that action given the current game state. 3. Implement the action (use the action and its parameters in conjunction with the game rules to determine the new game state). 4. Update the state. It is important to note that there are really two types of rules processing. First, there are the rules that determine if a specific player can take a specific action given the current game state. This is an area where programmers often make errors. Often, the problems occur because the developers don’t assume someone would attack the control interface or the network directly and drive the game faster than normal. This type of action overrun attack is a fairly common form of network attack. The second type of game rules are those that take an input action and its parameters and determine the outcome to update the game’s state. One of the challenges with implementing action-based networking is maintaining synchronization between players. This is not a problem for state-based networking systems. In addition to being easy to implement, state-based synchronization schemes can be fairly “sloppy,” especially if they use an averaging scheme to synchronize. The various players will continually converge towards a shared state... and it almost doesn’t matter if the different player’s state is ever exactly the same. This approach is used in large-scale simulations where cheating security issues aren’t a problem for performance and simplicity of development.

120

Protecting Games: A Security Handbook for Game Developers and Publishers

Action-based networking first requires setting an initial state and time between all of the game players. Time can be particularly difficult to coordinate. One approach is to handle network time as a sequence of synchronized “ticks” that all players need to participate in before the game proceeds to the next tick.

MONEY, VIRTUALIZATION, ROOTKITS, AND THE END OF CLIENT-SIDE SECURITY Historically, the main focus of anti-cheating techniques has been on client-side security tools. These software techniques, libraries, and even standalone applications “look” for malicious code and alterations to the operating environment for the game application. These tools have been reasonably effective: There is only so much work a hacker will do when they are attacking a game “just for fun.” The game industry is changing rapidly. It is much larger than when most of these anti-cheating tools were created, and hackers are now breaking games to make money. The computer industry is also undergoing a bit of a revolution. Virtualization tools, like VMware and the open source product Xen, are changing IT. At the same time, hackers have moved to rootkits as a way to avoid detection. Barring the rhetoric, both of these tools are similar. Virtualization wraps an operating system instance and its associated applications in an isolated shell that is unaware that it is in a shared environment under control of another application. Rootkits are applications that use very low-level utilities to hide themselves from ordinary operating system monitoring tools. SoftICE, an early Windows tool, hid itself from the operating system as part of its function as a powerful platform debugger, and was used to attack Diablo. Most anti-cheating products are reactive; they detect specific cheats only after they have been identified. Like anti-virus software, they don’t actually search for new attacks; they look for signatures of known attack applications. This distinction is important. The company or group that keeps the game security software up to date needs to have an actual copy of the attack software in order to create a signature for it. If the attack software is changed, the signature needs to be changed as well. Even worse, a completely different program that exploits the same weakness also will need to be retrieved by the security company and a signature created for it as well. The key challenge that these tools face is that it is inherently difficult to separate legitimate programs, like mouse or keyboard controllers, from malicious programs that are virtually identical in function. After all, what is a “bot” but an exceptionally clever input device?

Chapter 13 Cheating 101

121

When cheats are done “for fun,” they are widely distributed and easily detected by a game company’s “Cheat Surveillance System” (the game’s online forums and fan sites). When cheating a game becomes serious business, hackers don’t share their attacks or sell them for a nominal fee; they profit from them directly. I have been told anecdotally that there are proprietary bots used by gold farmers for many MMOs that are not widely distributed, but used only as a tool for professionals. Detection of serious cheats can be difficult. An outsourced employee at a company that made an online poker calculator player aid (the tool automatically tracks the “rake” by the poker site operator) inserted a rootkit into the application 7. The malicious program installed a key-logger and other programs useful for looting the poker player accounts. This rootkit was still not detected by any traditional security software months after its insertion—I suspect, because it was neither widely distributed into the general population nor obvious in its nefarious activities. Virtualization provides a powerful avenue for attacking games. Just like other applications, software security tools live inside the virtualized environment and cannot detect that they are not part of the platform’s “real” operating environment. As software developers create more and more powerful virtualization tools, it is highly likely that some of these virtualization management, security, and testing tools will be used for malicious purposes, just as the SoftICE Windows testing tool was turned into a game hacking tool. Combining rootkits and virtualization is a plausible security nightmare with the recent demonstration of a rootkit that could move an operating system into a virtualized shell without being detected and leaving the rootkit in control of the platform8. Targeted malicious code is a growing problem for the security software industry. Previously, hackers would create viruses and other malware just to spread them to as many computers as possible. Recently, online criminals have begun to target specific, lucrative targets: companies or even individuals. The reasonable revenues and exceptionally low risk make all forms of online gaming a very tempting opportunity. Virtualization will also allow hackers to more effectively and inexpensively scale automated gold farming, pokerbot, and other systems to attack online games.

S ECURITY , T RUST ,

AND

S ERVER A RCHITECTURES

Almost every multi-player game uses a central server in its design. Even peer-topeer games include a minimal server system for matchmaking and storing persistent data and rankings. The standard assumption is that the server is trustworthy.

122

Protecting Games: A Security Handbook for Game Developers and Publishers

This is the view of the developer, of course. Players may have a different view, and rightly so, in some cases. Servers can be hacked or, even worse, a malicious insider may be abusing the game for his own benefit as happened at the online poker site UltimateBet.com9. In this case, the malicious insider was using the fact that the game state was available on the game server to read other players’ hidden cards— and, as a result, make extremely profitable wagers. Online gambling sites are not the only victims. A Shanda Interactive vice president and two accomplices were arrested for creating and selling virtual items in the MMO, Legend of Mir 210. The only reason that they were caught was that they chose to create and sell exceptionally rare items. They might never have been caught if they had chosen to sell widely available, but still valuable and profitable, game currency as has happened at several other online games. In addition to the “trusted server” and simple “peer-to-peer” models, there are at least three other architectures to consider: Trusted Third Party, Blind Service, and Collaborative Game Play.

FIGURE 13.6 Trusted third-party architecture

The Trusted Third Party model (see Figure 13.6) is an independent service provider who has no interest in the game’s operation or outcome. The third-party provider does not run the game, but either audits its behavior, or, more powerfully, implements key portions of the game itself to ensure its integrity. This scenario is the gaming analog of a real estate escrow agent who mediates part of a sales transaction to ensure money is transferred appropriately between buyer and seller. For MMOs, an escrow agent could be used to handle all asset transfers (and not just for sales between players as some Real Money Transaction (RMT) providers are doing

Chapter 13 Cheating 101

123

today). Conceivably, these third-party providers could roll dice, resolve combat, or even host the entire game. The success of the Trusted Third Party comes from proving its independence from the players and game operator, both technically and from a business perspective. Poker is an example of this architecture already being used for gaming. The players are not playing against the house, as in a casino, but against each other. Thus, the poker operator has no vested interest in the game’s outcome. The challenge comes from enforcing this separation. If an employee of the poker operator has a vested interest in the game’s outcome, as in the UltimateBet.com example, the model is undermined. Just as in promotions and contests, there are real benefits to the integrity of a game from prohibiting game company employees (or their friends and families) from playing the game (a topic that I will be revisiting in Chapter 25).

FIGURE 13.7 Blind service architecture

A variant on the Trusted Third Party model is to have an untrusted third party. The Blind Service model, illustrated in Figure 13.7, is a scenario where there are multiple service providers that can be chosen at random by the game participants. Ideally, the blind service would not even know who the players are. If there are enough blind service providers and the players use an intelligent randomization scheme for selecting the provider, the system can be secure. The nearest analogy is the Tor anonymous web browsing service11. The problem with this model is to find a way to make the set of anonymous providers large enough and make the service economically viable for a game operation. The system also needs a mechanism to communicate some information between the game operator and the blind service and players. Depending on the specific system and business model, cryptographic techniques, such as public key cryptography, may be helpful.

124

Protecting Games: A Security Handbook for Game Developers and Publishers

From an anti-cheating perspective, the ideal is to be “N-1 Secure.” If there are N players in a game, the game should be fair if at least one of them is honest (or, at least not part of the same cheating team). Action-based networking actually addresses a portion of this architecture, and is all that is needed for games like chess. The combination of exchanging information by actions with local verification of rules by each player means that the only role of a central server is to adjudicate disputes (see Figure 13.8). Players can independently rebuild the changes in the game’s state over time by looking at all of the players’ actions. If the previously recorded state is not identical (or at least is consistent) to the reconstructed state, some form of manipulation or corruption has occurred. My company, IT GlobalSecure, took this basic concept and extended it to cover more types of games and other game interactions, such as fair random numbers, handling hidden information, and securely synchronizing network time with our SecurePlay software.

FIGURE 13.8 Collaborative game security architecture

Issues of trust are important for game developers, game operators, and game players. Payment processors, regulators, and law enforcement may all be concerned with the integrity of a game for a number of reasons. One advantage of this architecture is that security evaluation can be made much simpler. Because each party to the game has an independent copy of the rules, independent game implementations can be used by each participant as long as everyone follows the same API. This could have some very interesting benefits for casino games, skill games, and contests where criminals can currently target game software for attack and there are ongoing concerns about game developers as potential threats.

Chapter 13 Cheating 101

125

R ANDOM E VENTS Fair random number generation is a really challenging problem for multi-player games. When we play games face-to-face, we have standard products (dice and cards) and standard procedures (shuffle, cut, and dice cups) that ensure integrity. If you go to a casino, a massive portion of the security design for games is around ensuring the integrity of random events. Slot machines, the most familiar and trusted form of automated random number generation, use real random noise (almost always) to generate random bits and the systems are sealed and have their code evaluated line by line—and they’ve still been attacked12. In the CARRDS model, “random” is highlighted because it creates its own set of issues and was one of the motivations for creating our SecurePlay software. An example of the blind service model, described previously, has been used for years by board gamers who play by mail to roll dice fairly. The players designate a stock symbol and future date and use the cents portion of the price as a random number. (Electronic Arts ERTS closed at 47.06 on Wednesday, 20 August 2008, so the random number would be 06.). There are actually several distinct types of random number systems that are of concern in computer games: Private Random with Replacement—The random value is known only to the individual player, but is drawn from a random sample, like dice, where random values can reappear. Public Random with Replacement—The random value is known to all players and the random values can reappear. Public Random without Replacement—The random value is known to all players and the random pool is sampled without replacement. For example, cards from a deck, where random values cannot reappear. Private Random without Replacement (Separate Random Pool)—The random value is known to only an individual player and the random pool is sampled without replacement, but the random pool is not shared across players (as in the game Magic, where each player has her own deck of cards). Private Random without Replacement (Shared Random Pool)—The random value is known only to an individual player and the random pool is sampled without replacement. The random pool is shared like cards dealt by a dealer. The question in each is how to generate a fair random event, preferably in a way that is N-1 secure. It is possible to use a trusted third party for random numbers (interestingly, this has not been tried for online gambling to my knowledge).

126

Protecting Games: A Security Handbook for Game Developers and Publishers

The random numbers could be encrypted as they are provided to the individual players for private random numbers. The sole problem with this approach is that you have to trust the trusted third party. Collaborative random number generation is an effective solution. Instead of involving a third party, each participant can create a random number, share it with the others, and combine the results: SharedRandom = (Random1 + Random2 + Random 3 +... + RandomN) mod Z; // where each RandomX is a contribution from one participant and Z // is the range of values desired as well as the range for each contribution.

If everyone is honest, this system works well. The problem comes from the contributions not being simultaneous. If you have ever played Rock-Paper-Scissors with a child, you’ve seen this problem—the child sees the value you’ve selected and somehow their hand slips into the advantageous value. Our SecurePlay software addresses this problem by creating a “logically simultaneous” action; we can use irreversible transforms to get things started: for each Player j { Transformj = IrreversibleTransform(Randomj,padding); // each player computes an irreversible transform of her // random value with arbitrary padding appended to it. }

Next, each player shares this information with the others and once everyone confirms that they’ve received the transform, each reveals the random value to the others, which can then be verified: for each Player j { AllegedRandomj = Randomj,padding; // each player shares their random value with padding if (Transformj == IrreversibleTransform(AllegedRandomj) { use Randomj; // as described above } else { call Police; // or other action } }

Chapter 13 Cheating 101

127

This core algorithm, with slight variations, can be used to cover most of the required random scenarios. For public random events, the process works exactly as described. For random events without replacement, the range (Z) is reduced by one as the random pool is depleted. Private random events can simply be handled by having the player who is keeping the random event secret (Player j) not provide her a value (AllegedRandomj) until after the game is over so that it can be verified. The one case where there is a bit of a problem is when there is a private random without replacement and a shared random pool. In order to generate a draw from a random pool without replacement, the dealer needs to retain knowledge of what has been dealt which allows her to share information with others. The dealer cannot affect the random event outcome, but she can disclose the private random information to other players—often a problem in games, as it can give advantage. A variation on this system can be used with a server/dealer to generate large numbers of random events quickly and if the dealer is somewhat trusted. Instead of directly generating random events, the players can all contribute towards building a collaborative random seed that is used with a deterministic random number generator to create a series of random events. As seen with the UltimateBet.com case, trusting a central server at all can be a potential threat. It may make sense to alter a game’s design so that the game is naturally N-1 Secure. Poker, for example, could be changed slightly so that players’ private cards are drawn from a separate, private deck (like in Magic: The Gathering). This would slightly shift the distribution of hands in the game and make it possible for a player to actually be dealt a natural five-of-a-kind hand, but separate decks would stop attacks from a compromised central server.

P LAYER C OLLUSION Player collusion is one of the more troublesome problems for all forms of gaming. Many, if not most, multi-player games are built on the premise of player competition. Collusion can occur “in band” using the game’s communication services or signaled via game play or “out of band” using external communication systems, like a telephone. Although it is easy to say that collusion is against the game’s rules (or terms of service), in practice it is very difficult to eliminate collusive behavior. It is even worse online where players cannot be physically monitored and they have easy access to alternate communications channels to share information and coordinate strategies. Collusion needs to be considered very carefully in game design. In one of my alltime favorite game design failures, a Swedish lottery firm, Svenska Spel, designed a

128

Protecting Games: A Security Handbook for Game Developers and Publishers

game called Limbo where players guessed a number between 1 and 99,999. If you selected the lowest number that no one else had chosen, you won a prize. If two or more people chose the same number, they “bounced” and were disqualified. Collusion was against the rules (as was making too many bets by a single person). You can probably guess what happened: Players formed large syndicates to systematically guess different numbers to increase their odds of winning and won hundreds of thousands of kroner. The contest was rather quickly and abruptly withdrawn13. Closure of the game cost Svenska Spel one hundred million kroner (over $15 million) per year. If you think this is funny, consider all of the games that forbid gold farming, but allow inter-player item exchanges. Many MMOs have a limited form of player vs. player (PvP) conflict, where you can fight players on other teams, but not your own. Members of “Something Awful” (an interesting collection of people who play a number of games, often in ways not intended by their designers or other players) organized a pair of guilds in World of Warcraft with the intent of using both guilds against other players and groups. World of Warcraft has two “teams,” the Horde and the Alliance. Players are allowed to attack members of the other team, but not their own side (Horde players could attack Alliance players, but not other Horde players and vice versa). The “Something Awful” guilds colluded together for their mutual benefit to take advantage of the game’s economy. The “Something Awful” Horde guild would escort and aid their Alliance counterparts who entered Horde territory since they were immune to attack by other Horde players. They also used the paired guilds to act as a protection racket: While an ordinary Alliance player can do nothing to another Alliance player, a friendly Horde player (or group) can attack Alliance players mercilessly 14. There are three main types of collusion: External Affiliation—In this case the colluding team has an external relationship that, in and of itself, gives them an advantage. Poker players who have a shared bank roll have an inherent advantage over the others at their table, even if they do nothing active in the game but share their winnings after the game is over. This type of collusion is essentially impossible to detect from the game’s or game operator’s perspective. Shared Knowledge—The next level of collusion is sharing knowledge between the conspirators. In poker again, this is easy to appreciate. When two players share the values of their hidden cards, they will have a substantial advantage in their game play.

Chapter 13 Cheating 101

129

Coordinated Action—As seen in the Limbo lottery game and the World of Warcraft examples, active collusion can be terribly destructive to a game. Many of the tournament attacks, discussed in Chapter 20, are based on players colluding instead of competing. You can randomize the matchmaking process to make it less likely that teams can exploit their relationship. In some face-to-face games, it is possible to restrict communications to avoid covert signaling. In its highest-level tournaments, bridge players use cards to indicate their bids so that vocal cues are impossible. Completely stopping collusion is virtually impossible. Online poker sites claim to look for team play by analyzing game play patterns. This may have some effect, but it is unlikely to even slow down a serious collusion conspiracy. For online games, at least, the best anti-collusion strategy may be to legalize collusion or otherwise alter game play so that collusion confers no significant advantage.

B USINESS M ODELS

AND

S ECURITY P ROBLEMS

Sometimes game security problems are a nuisance, and sometimes they are devastating. Game play and balance problems, no matter how bad they are, can almost always be repaired. Players may gripe or even quit when their favorite characters are “nerfed” (had their abilities reduced due to a software update/rules change) or favorite tactics thwarted. These are serious customer service problems, but they rarely are a threat to the business. Some game security problems can ruin your business. The more closely game play is tied to your business model, the more risk you face. For a game that is sold as a product, the major threat is piracy. For a subscription game, the threats are unauthorized, unfunded subscriptions and excessive play. At the other end of the spectrum, any form of cheating or abuse can undermine the success of a gambling or skill game operation. Free-to-play games and other games with hybrid business/game play models, like Second Life and Project Entropia, face some interesting challenges. Free-to-play games make their money by selling in-game virtual assets to players in lieu of charging subscriptions. This approach is becoming the dominant business model used in Asian games and is rapidly entering Western markets with games like Nexon’s MapleStory and Three Rings’ Puzzle Pirates. Although many players do not pay to play these games at all, some can spend hundreds of dollars on virtual items— much more than they would spend in a subscription game. Also, because the cost to play is zero, it is easier to reach a wider potential audience.

130

Protecting Games: A Security Handbook for Game Developers and Publishers

Unlike a subscription game, the game systems and real money payment systems are closely intertwined. Attacks on the game can damage the company’s business model directly. Recently, I was told about a licensed MMO that had a serious problem in which malicious users could hack the game and simply give themselves all of the virtual items they want by using a SQL injection attack to directly edit their inventory—even getting items not yet available to other players because they had not been enabled by the game operator. Several online games and virtual worlds have embraced the notion of user-created content and trading as central to their business model including IMVU, Second Life, and Entropia Universe (formerly Project Entropia). In these communities, the players can use tools to create and trade virtual items that can be bought and sold for real money (or, rather, virtual currency that can be converted into real money). Entropia Universe has gone a step further by directly auctioning off a massive space station for $100,00015 as well as five banking licenses for a total of $404,00016. The fact that virtual currency can be converted into real money raises the stakes for security. Second Life faced an attack that allowed a hacker to steal player’s money just by “walking by” a modified QuickTime file (moving their game character/ avatar close enough to an object in the game that included the hacked QuickTime file so that the game would cause the file to be loaded). For a while, Apple’s QuickTime file format was vulnerable to an attack that gave hackers the ability to insert and execute malicious code on the target computer, if the hacker could get the altered file onto the computer. Because players in Second Life can create virtual items, including items that incorporate QuickTime files, this attack could be launched against players dynamically in the virtual world. The hack basically forced the victim’s Second Life account to automatically transfer the game’s currency, Linden Dollars, to the thief17. MindArk’s Entropia Universe has the feature that many items that players find useful are consumed or damaged over time and need to be repaired or replaced: the essence of the company’s business model. Instead of a hack, players found an exploit that allowed them to guarantee that they would earn more money than it cost them to play18. This exploit undermines the virtual world’s business model, much as a slot machine that pays out more than it takes in is quite harmful to a casino’s bottom line, if not its popularity. What if your partners rebel? Activision and Infinity Ward faced a rebellion over the security failures of the World War II first person shooter, Call of Duty 2. The rebels were not ordinary players, but highly motivated gamers who hosted servers for the game. They called a strike to stop operating their servers until the game’s anti-cheat systems were fixed19. Even more costly, MGame in Korea’s licensee in China, CDC Games, stopped paying royalties until the company fixed piracy and other problems with Yulang, an MMO20, a dispute that was eventually settled.

Chapter 13 Cheating 101

131

R EFERENCES 1. B. Sinclair (2006), “EA Sells Tiger Woods Cheats on XBL,” http://www.gamespot.com/xbox360/sports/tigerwoodspgatour07/news.html?sid=6159881 2. Virtual World News (2007), “Blogging the AGDC: Coming to America: Nexon’s Micro-Transaction Revolution, “http://www.virtualworldsnews.com/2007/09/blogging-the—5.html 3. R. Miller (2008), “Fable 2 Pub Games Exploit Will Make You Very, Very Rich,” http://www.joystiq.com/2008/08/15/fable-2-pub-games-exploit-will-make-you-very-very-rich/ 4. S. Schuster (2008), “AoC Demonologist Exploit Fixed in Recent Patch,” http://www.massively.com/2008/05/26/aoc-demonologist-exploit-fixed-in-recent-patch/ 5. M. Pritchard (2000), “How to Hurt the Hackers: The Scoop on Internet Cheating and How You Can Combat It,” http://www.gamasutra.com/features/20000724/pritchard_01.htm 6. P. Klepek (2005), “Battlefield Server Delisting—EA and DICE Respond to Recent Server Modding by Users,” http://www.1up.com/do/newsStory?cId=3141484 7. R, Naraine (2006), “Rootkit Infiltrates Online Poker Software,” http://www.eweek.com/c/a/Security/Rootkit-Infiltrates-Online-Poker-Software/ 8. R, Naraine (2006), “VM Rootkits: The Next Big Threat?,” http://www.eweek.com/c/a/Security/VM-Rootkits-The-Next-Big-Threat/ 9. J. McCarthy (2008), “Online Casino Admits Insiders Changed Software to Cheat,” http://www.onlinecasinoadvisory.com/casino-news/online/online-casino-admits-cheaters-existed-1728.htm 10. A. Xu (2006), “Three Men Tried for Selling Online Game Weapons,” via http://www.playnoevil.com/serendipity/index.php?/archives/763-Insider-Virtual-Asset-Crime-inShandas-Legend-of-Mir-2-IMPORTANT.html (original link expired) 11. Wikipedia (2008), “Tor (Anonymity Network),” http://en.wikipedia.org/wiki/Tor_(anonymity_network) 12. S. Bourie (2008), “The World’s Greatest Slot Cheat?,” http://www.americancasinoguide.com/Tips/slot-cheat.shtml 13. J. Savage (2007), “Game Stopped After Cheat Allegations,” http://www.thelocal.se/6788/20070324/ 14. Joe Blancato (2006), “Diseased Cur,” http://www.escapistmagazine.com/articles/view/issues/issue_30/188-Diseased-Cur 15. BBC (2005), “Gamer Buys Virtual Space Station,” http://news.bbc.co.uk/2/hi/technology/4374610.stm 16. MindArk (2007), “Virtual Banking Licenses Sold!,” http://www.entropiauniverse.com/en/rich/6357.html 17. Internet Security For Your Macintosh blog (2007), “Second Life Hack Steals Real Life Money,” http://www.isfym.com/site/blog/Entries/2007/12/6_Second_Life_hack_steals_real_life_money.html 18. Entropia Universe Examined blog (2007), “The Final Entropia Exploit,” http://blogtropia.blogspot.com/2007/03/final-entropia-exploit.html 19. IWNation (2005), “The Time Has Come for Action, We Will Be Ignored No Longer,” http://iwnation.com/forums/?showtopic=17450 20. L. Alexander (2007), “CDC Sues MGame for Security, Tech Support Failures,” http://www.worldsinmotion.biz/2007/10/cdc_sues_mgame_for_security_te.php 21. M. Greene (2008), “MGame, CDC Settle Yulgang Dispute,” http://kotaku.com/365550/mgame-cdc-settle-yulgang-dispute

14

App Attacks: State, Data, Asset, and Code Vulnerabilities and Countermeasures o abusively paraphrase Sutton’s Law1, hackers attack the local application because “that’s where the game is.” And, it is convenient. And developers leave the application a vulnerable target. Both hackers and developers are lazy.

T

Author’s Warning: I name and discuss several programs used for cheating games during this chapter and elsewhere in the book. I am in no way recommending that people use these tools. Even if the tools themselves are safe, game cheating and hacking tools are often provided with free “extra” features, like key-loggers and other additions that may be used to hack your computer, steal your passwords, and otherwise ruin your day. Even compiling these tools from source code may be risky, because you aren’t actually going to review all the code, are you? And, even if you did, do you really think you could find serious, malicious code? There are many ways to attack a game via the local application. Hackers can modify the game’s state, its data, memory, and assets, or even the application itself. There are countermeasures for many of these attacks. However, many of these countermeasures can themselves be circumvented because they, too, are applications that run on the player’s computer. Local hacking is one of the reasons that developers have moved towards server-based game designs or should consider actionbased networking, as discussed in Chapter 13.

M EMORY E DITORS , R ADAR ,

AND

ESP

The easiest attack target is the computer’s memory. System memory needs to be used by all games and can be easily analyzed, so attackers don’t need to do any new work to attack different games. In the hand of even a “YouTube-educated” game cheater, free debuggers and standard utilities can easily read out the computer’s active memory and rapidly and empirically determine where key game data is stored. 132

Chapter 14 App Attacks: State, Data, Asset, and Code Vulnerabilities and Countermeasures

133

This allows the cheater to directly change the computer’s memory contents. At the time of my writing this paragraph, there are 60 YouTube video demonstrations 2 of hacks on the simple, quite fun Flash-based role-playing game, Sonny 3. These are attacks on a free game! All computer applications write data into RAM memory while they are running. For an ordinary user, the operating system controls access to the RAM memory so that the applications don’t interfere with each other. Applications themselves create a structured “memory map” so that the application can easily and quickly find its own data. At their most basic level, memory editors are tools that can look at the entire RAM of a computer and manually change or lock any memory value. Smarter memory editors can learn the memory maps for different applications and automatically remember where certain data is located. The most generic attack on a game using a memory editor is pretty simple: 1. Start the game. 2. Launch the memory editor. 3. Look for the value in memory. 4. Change the value using the memory editor. 5. See if the value has been changed in the game. 6. Cheat and be merry (shame on you!). In practice, this may be difficult, as a given number or string sequence may occur in multiple places in memory. Also, games may try to hide values by changing how they are stored (via encryption or obfuscation). The more robust way to attack a game takes only slightly more effort: 1. Start the game. 2. Launch the memory editor. 3. Tell the memory editor to “Save State” (save a complete image of the computer’s memory or the area allocated to the game). 4. Do something in the game that changes the value of interest. 5. Tell the memory editor to look for differences in state (compared to the previously saved state). 6. Try editing these values. 7. See if the value has been changed in the game. 8. Repeat until satisfied. 9. Cheat and be merry (shame on you!).

134

Protecting Games: A Security Handbook for Game Developers and Publishers

The power of this technique is that it will work for pretty much any game, at least on a PC or hacked console. Instead of modifying a game’s state, in many multi-player games, simply being able to read state information gives the hacker a substantial advantage. Radar attacks and ESP (extrasensory perception) both, at their core, prey on a weakness found in many multi-player games—the need to pre-load remote data. Most modern games are played as real-time systems and the overwhelming goal of game developers is to provide a smooth experience for players. Because of the drive to provide a “smooth” game play experience, the player’s client application knows information about the game’s state that the player shouldn’t know. Several years ago, Dark Age of Camelot players could read location and useful map information about other players by analyzing the MMO’s network protocol (clearly, a state-based system)4. Apparently, these attacks were stopped when Dark Age of Camelot’s developer, Mythic Entertainment (now EA Mythic), began encrypting the network packets. Conceptually, an attacker should have been able to attack the game “above” the network layer (after the packets had been decrypted at the client) and extract the same information, but I have not seen any indications that this has occurred. These attacks can affect other genres including first person shooters such as SWAT 4 5 and, more recently, Team Fortress 2 6. Radar attacks and wallhacks, to be discussed shortly, can look similar and have identical game-cheating consequences, but their implementation is different. Radar attacks are dependent on reading out game state information, whereas wallhacks attack the display subsystem. ESP attacks directly extract the game state and provide their own display. Because Adobe’s Flash provides tools that make using state-based synchronization very easy, a number of developers of basic multi-player Flash games, including card games, simply replicate the game’s entire state at each player’s location. Once hackers extract this information, they have a huge advantage (as you can imagine if you were playing poker or bridge and could see all of your opponent’s cards).

D ATA O BFUSCATORS The best way to prevent a game client from disclosing data is to not provide it in the first place. Hackers can’t extract information that they can’t access. As is discussed in Chapter 17, game design itself can be an opportunity for game designers to help reduce security risks.

Chapter 14 App Attacks: State, Data, Asset, and Code Vulnerabilities and Countermeasures

135

If it is necessary for the local game client to store a hidden game state, the only real choice is data obfuscation. Data obfuscation makes attempts to hide the format and location of important game data from memory editors. As discussed previously, memory editors don’t care where game data is stored in memory. Rather, memory editors look for known values and changes in values. Sometimes, developers use encryption techniques to hide the data. However, because the key has to be available on the platform as well as the data, the security, such as it is, comes from how well any keys are hidden and how difficult it is for the hacker to reverseengineer the encryption system’s design. So, instead of using the term “encryption,” which implies powerful security for many readers, it is more appropriate to refer to such systems as “data obfuscators.” “Encryption” is not the only option. According to the documentation for the Poke memory editor, Blizzard’s Diablo II used a system where they stored critical game data in multiple locations and, if only one was changed, the Diablo II storage system used the smaller one and changed both values to the same, smaller value7. Once this scheme was identified, it was fairly trivial for hackers to defeat. A slightly more complicated system involves using “differential storage”— where game data is split into two elements via addition or the “exclusive or” function so that individual memory locations cannot be usefully read by a memory editor: /// GD – game data to be stored // compute a random value, Random1 L1 = GD xor Random1; // compute the sum of the game data and the random info L2 = Random1;// store the random info GD = L1 xor L2; // retrieve the game data

This technique is simple and fast. If a fair amount of data is being updated regularly, it will be difficult for a hacker to easily isolate correct pairs of storage registers. Eventually, a patient hacker may be able to change memory locations one at a time and steadily work out the game’s differential memory map. One can add an anti-tamper element to this system by incorporating a checksum with the game data: /// GD – game data to be stored // GDCS - checksum on game data // compute a random value, Random1

136

Protecting Games: A Security Handbook for Game Developers and Publishers

L1 = (GD,GDCS) xor Random1; // compute the sum of the game data and the random info L2 = Random1;// store the random info (GD,GDCS) = L1 xor L2; // retrieve the game data if [Verify (GD,GDCS) == false] then {do countermeasures;} else {play;}

The challenge for any data obfuscator is that it must work quite fast and, essentially, force the hacker to reverse-engineer the design of the game’s obfuscation code to defeat it. Also, it is essential that the data obfuscator is easy to use. For languages such as C++, this would typically mean creating a custom data type or template and for many other languages the obfuscated data would be stored in a class or struct data type (when I created a data obfuscator for Flash, I created a set of classes that mirrored the language’s basic data types). It is important that the obfuscator not be called as a dynamic library at run-time, but integrated into the code during compilation. If the obfuscator is called as an external library, it can be “plugged out” so that it is bypassed entirely, as discussed in the next section. Also, beware of optimizing compilers, as they may optimize your data and code obfuscation techniques right out of your application. Ideally, the data obfuscator could be regularly updated by simply recompiling the game with a new obfuscator version and no modifications would need to be made to any of the remaining game code. The following are a number of data-protection techniques: Encrypt—Encrypting data with a static key (hardwired or game instance based) simply makes the static key of the encryption function the primary target for attack. Cryptographic modes are important (key-additive, cipherblock chaining, cipher feedback, and so on), because some may allow the hacker to change the encrypted data in a useful way without ever breaking the cryptography. It is important to recognize that the technique does not have to be cryptographically strong; it just has to effectively obscure the data from direct extraction by a memory editor. Attackers must find the function method or algorithm and key or blindly modify data in the platform’s memory. Data Hash—Even a simple, unkeyed data hash, if implemented properly, can be effective. A keyed hash requires the attacker to isolate the key, the code for the hash function, and its algorithm. Indirect Data Store—Instead of storing data in a memory location, store it indirectly via an object pointer. This can be used against static memory map tools by forcing an attacker to dynamically read-out memory.

Chapter 14 App Attacks: State, Data, Asset, and Code Vulnerabilities and Countermeasures

137

Split Data Store—Split the data via some symmetric function (mod 2 arithmetic, addition) so that instead of storing a value (V), a random value (R) and a split value (R+V) are stored. An attacker must find the correct sets of memory locations in order to effectively modify the game data. Differential Data/Data Chaining—Instead of storing data directly, store it as an offset split of another data object. The data chains cannot be too long or complicated or a single data change may force many other data objects to be changed and have an adverse performance impact. Honeytrap Memory—A honeytrap is stored data that has a hard-coded, known value that is periodically checked. If the honeytrap data has been changed, the application knows it has been hacked. Soft Failures—Detected hacks do not immediately get punished or get punished randomly. Combined Techniques—These techniques can be combined to substantially increase the difficulty for the hackers. It is also important to note that these techniques do not actually allow you to prevent modification of game data, but make such modifications detectable by your game code. Ideally, your selected data obfuscation strategy will detect any unauthorized data modifications so that they will be not be accepted by the game.

C ODE H ACKS

AND

DLL I NJECTION

In a computer, code is data. Just as all of the data in a game is available to a memory editor, the game’s code is also vulnerable. The most vulnerable portion of a game’s code is its internal configuration data. These data constants are the embodiment of the game’s rules and can have a substantial impact on game play. Aaron Portnoy and Ali Rizvi-Santiago of TippingPoint DVLabs attacked the configuration data for Disney’s Pirates of the Caribbean MMO game client by altering the game’s “jump height” and “ship speed” constants. These changes allowed their characters to jump ridiculous heights and their pirate ships to move incredibly fast 8. In this case, the security analysts were not attacking raw binary data, but the byte-code generated by the Python scripting language. The attack was successful because the game uses state-based networking so that the actual jump or movement data was exchanged and blindly accepted by the remote players’ computers. This type of attack can be thwarted. CCP Games’ EVE Online also uses Python for its client, but, because game state is totally controlled on the game’s servers, a recent hack that exposed the game client code caused no problem for the game’s security 9.

138

Protecting Games: A Security Handbook for Game Developers and Publishers

More serious code attacks typically target external libraries (DLLs for Windows computers, and SOs for Linux). A hacker can insert a “shim” library with the same name as the actual library and redirect and edit data going between the library and the main application. Eyebeam Openlab’s tool OGLE (OpenGLExtractor) demonstrates the basic technique used for graphics engine hacks and DLL proxies to attack games. OGLE was not developed with malicious intent, but rather to support the extraction of 3D images for other uses. The tool uses DLL proxy techniques to extract OpenGL graphics information and derive a 3D scene so that it can be sent to a 3D image editor or 3D printer10. A number of game hacks use similar techniques to cheat in games. Game graphics engines do not pose a threat. However, developers sometimes rely on the graphics engine to enforce game logic and this can cause problems. For example, game engines sometimes use the graphics engine to determine whether a player or item is visible to another player. The problem comes from letting the graphics engine “see” a player or item that would otherwise be invisible—a tool similar to OGLE could then be used to highlight the character, make the intervening walls invisible, and so on, in order to circumvent the game designer’s intent to hide the asset. The “best” solution would be that a local copy of a game doesn’t know anything it doesn’t need to. If an “invisible” asset needs to be stored locally, it should be protected as well as possible. To prevent easy exploitation of this information, the data should not leave the game engine, but the scene should be managed by an intermediary program that determines visibility and other attributes based on game rules and level design (that is, making a wall invisible for rendering does not expose things behind it). This is similar to a dynamic loader but instead of simply focusing on improving the graphics engine’s performance, the “safe loader” makes sure that anything that should not be visible isn’t loaded to the graphics engine. It may even load alternate assets based on game state and rules for the assets that are loaded. The safe loader should have the side benefit of reducing the number of assets that graphics engine needs to render—there is no need to waste cycles on rendering invisible items. Also, the safe loader could allow for more intelligent camera systems (for example, walls graphics could be replaced by suitable “graphic stubs” if they block the main game action from the camera’s current position—just as found in TV or film sets where the director removes walls and props from sets when they interfere with observing a scene as the director wishes). It is even possible to locate hidden assets and information at a lower level. Hackers can find the underlying tables that map where game functions are located and redirect the function calls to alternative functions. This does require a fair amount of sophistication; however, the same tools that allow assembly language

Chapter 14 App Attacks: State, Data, Asset, and Code Vulnerabilities and Countermeasures

139

debugging and software reverse-engineering (disassemblers and decompilers, among others) make implementing these attacks easier as software engineering tools get better (and more widely accessible and sometimes even free). Some anticheating tools will detect that software is running in debug mode as a way of attempting to fight these hacks. However, just as with memory editors, the debugging applications can also run independently of the application. These attacks are very specific to an application and its architecture. Network stacks, data stores, and other code that is tempting to store in a shared library may become a target by allowing the hacker to break the application into convenient pieces, just as the developer did.

B LIND S ECURITY F UNCTIONS , C ODE O BFUSCATORS , S OFTWARE D ESIGN

AND

A NTI -T AMPER

Protecting game code, just like protecting game data, is a very hard problem. After all, the code has to be present for the game to run. As discussed in Chapter 5, some games attempt to protect their code by not actually installing it with the game, but rather accessing it from a DVD or over the network when the application is executed. At this point, the code is loaded into the computer’s memory and it is vulnerable to being read, modified, or stored, just as the game’s data is. Some security techniques, such as data obfuscation, depend on the attacker not being able to (easily) reverse-engineer the application’s design. Code obfuscators work by making an application more difficult to reverse-engineer. Because the application does need to operate, what these tools do is introduce complexity into the executable program that makes it very difficult for standard disassemblers, decompilers, or parsers to convert into a higher-level language that is easy to analyze (this technique is also used for dynamic language’s byte code and simple scripting languages like JavaScript). The key advantage of obfuscators is that they can be highly automated. However, obfuscators can’t introduce too much complexity or else they will cause an unacceptable deterioration in performance. Games often have portions of their code that are very performance sensitive. Therefore, it is critical that obfuscators can be tuned so that they do not affect performance in key code areas. Blind security functions and anti-tamper software do affect the underlying operation of the game’s software. At their core, these tools introduce checks embedded deeply within the application to ensure that its data is correct and that its code is operating properly. Static data may be checked by loading the suspect static data in otherwise unrelated functions and comparing it with a pre-stored hash function or other validation:

140

Protecting Games: A Security Handbook for Game Developers and Publishers

/// pre-store hash of configuration data – CDH Load(ConfigurationData); if (CDH != Hash(ConfigurationData)) then {tamper processing} else {continue};

It is also possible to check that functions are working correctly. Developers can pre-store known results: // pre-store input, result pair for key function if ( result != KeyFunction(input)) then {tamper processing} else {continue};

This approach needs to be done cautiously, as hackers can replace the verification function with a series of NOOP (no operation) assembly language instructions or their equivalent if they can locate the verification functions. This usually means that these techniques work better if they are called in numerous places in the code. If a function is called only once or in only one way, it is easier for a hacker to target and remove or bypass. It is tempting for developers to wrap security and other functions up into a single line of code. This is, after all, standard coding practice. Unfortunately, this entirely valid coding technique makes reverse-engineering much easier. For example, it is very common to consolidate digital signature verification into a single function call: if (verify(data) == true) then {do good stuff} else {tamper processing};

A lazy hacker will simply alter the verify function to always return true, no matter how corrupt the data is. To detect such attacks, the developer needs to validate that the function is working properly: // first test the verify function by verifying corrupted data if (verify(data+ junk) == true) then {tamper processing}; else if (verify(data) == true) then {do good stuff} else {tamper processing};

These anti-tamper techniques can be quite powerful, but they are a lot of work for a developer to implement unless the developer has some powerful scripting or macro language capability to automate the integration of these features into the application. In general, these anti-tamper tools are going to be more effective if they operate on source code rather than on object code or an existing executable application that needs protection.

Chapter 14 App Attacks: State, Data, Asset, and Code Vulnerabilities and Countermeasures

S AVE G AME A TTACKS , W ALLHACKS ,

AND

141

B OBBLEHEADS

Memory editor attacks are not well-suited for console games, as they usually are sealed systems that do not allow access to their memory state and do not include or allow the installation of memory editors or other utilities (at least until they are hacked). For console games, hackers can often attack and modify the save game file. Most consoles use Flash memory or other rewritable storage to store saved games. The save game file can be attacked and modified, as discussed in Chapter 7. Hackers modified the save game information to get infinite ammunition and missiles and several other benefits in Metroid Prime Hunter, a first person shooter on Nintendo’s DS handheld game console11. This “trainer” configuration change gave the cheater a huge advantage when playing via the handheld’s WiFi network—an unfair modification that seriously undermined the fun of playing the multi-player game12. Once again, this attack is largely due to the use of state-based networking to establish player configuration information.

SAVE SHARING Console games have typically used two types of memory: a DVD or other static media to store the game itself and a much smaller Flash or EEPROM memory to store saved games. Players are using both of these methods to transfer their personal player profiles and save game information to other consoles and post results onto services like Xbox Live. However, some players have exploited weaknesses in the existing save game and player mobility system (where players can use their account profile on multiple game consoles) to cheat13. The easiest way to understand this is to think of the Save As command in Word or other Office applications. Basically, some player excels at a game. They make their saved game available to other players. These players launch the game from its saved state and then use the “Save As” command (or, as it is actually implemented on a console, assign the saved game to another game save slot) to transfer the game from its original owner to themselves. So far, the main exploits of these shared saves have been to gain unearned achievements on Xbox Live and, perhaps, to unlock game content and share customized data14. Without better control at the individual console or a more effective central service, there is potential to use shared saves for more serious mischief.

142

Protecting Games: A Security Handbook for Game Developers and Publishers

It is possible to attack a game’s state without targeting the game’s state directly via a memory editor or similar tool. Many games use the graphics display engine to determine where players are and if they can be targeted. The simplest attack on the graphics engine is to alter the visibility (or, more specifically, the transparency) of the game’s scenery and walls—called a wallhack15. By making walls transparent, other players or creatures that would ordinarily be hidden are revealed, making them much easier targets. The same effect can be achieved by altering attributes of the graphics in the game’s map file. The “ultimate” level of graphics engine attack is to replace entire art assets. Thus, instead of the ordinary player or creature that the game should use, a hacker replaces these art and animation assets with ones of her choosing that make the player more visible or an easier target—such as turning regular game characters into big Bobbleheads.

GRAPHICS ENGINES VERSUS GAME ENGINES Conceptually, the display system for a game should be distinct from the game’s state. The game logic should determine what is visible, who can be shot, and how one can move. In practice, many games merge the graphics engine and game engine into one entity. Although this may have some performance benefits, it opens up the aforementioned wallhacks and other exploits like “holes,” where players can get behind or between graphical elements by abuse of the graphics engine. A pure “Game Play” engine should be much less vulnerable to these problems, as it is handling less data: Level models are simpler, player models are more abstract, and so on. Also, a game play engine understands what a “wall” is in a formal way, versus simply a polygonal mesh to be rendered. By splitting the game play engine from the game presentation/graphics engine, game developers might also have an easier time moving between computer or console platforms. Also, by decoupling game play from game presentation, developers should be able to improve testing and scheduling.

S ECURE L OADER

AND

B LIND A UTHENTICATION

Client-side problems are hard. As noted in several places within this chapter, changing the networking model to an action-based network architecture should help.

Chapter 14 App Attacks: State, Data, Asset, and Code Vulnerabilities and Countermeasures

143

It is possible for the client application to authenticate map, asset, and save information, however. Anything that is loaded can be digitally signed, use a keyed hash function, or a cryptographic checksum. All of the solutions are equivalent from a security perspective. If hackers can determine the algorithm and find the associated static or semi-static key used with the algorithm, they can either replace the key with their own (the way to attack the digital signature) or use the key (which will work for the keyed hash function or cryptographic checksum). A very common design mistake is to use a regular hash function, such as MD5. Hackers will test common hash functions, like MD4, MD5, and the various SHA standards, over any loaded data to see if the hash values can be found within the application. MD5 is often used first, because it is probably the most widely available hash function. This can even work on consoles as seen with a partial, at least, hack of Gears of War16. More sophisticated hackers may alter the asset after its initial load by using a memory editor to change the pointer for the asset file to a preferred, alternate asset file. Thus, it is not usually sufficient to validate an asset only when it is initially loaded, but it should be checked periodically, preferably every time it is used (obviously, this has the potential to have a sizeable performance impact). The process for secure loading is very closely related to secure bootstrapping (see Chapter 7). A good secure loader design will also prevent rolling back to a previous version of software or assets, a problem that has plagued Sony’s PSP 17. From a performance perspective, using a regular cryptographic checksum, sometimes called a Message Authentication Code (MAC), is probably best, as these functions are faster than hash functions. This system can be used to validate game saves, art assets, maps and levels, and even game code. First, it is necessary to create the authentication word (AW): AW(assetx) = securityfunction(assetx,secretkey); store AW(assetx); // store the authentication word (and actual asset) somewhere

Then, to verify the asset, either when it is initially loaded or some other time, the authentication word is retrieved and it is compared with an alleged authentication word for the asset of interest: AW(allegedassetx) = securityfunction(allegedassetx,secretkey); //or AW(allegedassetx) = securityfunction(allegedassetx,publickey); // for the case where digital signatures are used if (AW(allegedassetx) != AW(assetx)) then { do tamperfunction;} else {process normally};

144

Protecting Games: A Security Handbook for Game Developers and Publishers

There is another use for this mathematical technique—blind authentication. It can be desirable to attempt to authenticate data or code at a remote game player’s location. In this case, keyed hash functions or cryptographic checksums are effective and digital signatures will not work. The challenging party generates a secret key and sends it to the other participant. The challenging party also sends an identifier associated with the code or data that is to be verified and must have a copy of the data: ChallengeMessage = randomkey,assetidentifier; // challenger generates random key and sends asset // identifier to challenged party

Both parties compute the authentication word for the specified asset: AW(asset(assetidentifier)) = securityfunction(asset(assetidentifier),randomkey);

The challenged party then sends the authentication word back to the challenger, who then compares it with her locally computed authentication word: if (challengerAW != challengedAW) then {take tamper measures} else {proceed normally};

This process is not perfect, but it does at least ensure that the challenged party has a copy of the valid asset. For a constrained platform, like a handheld console, this may be sufficient. It is also very efficient for authenticating saved game data for consoles, because most have some small amount of protected memory that can hold a secret key that can be used to check the integrity of a stored game save file.

Chapter 14 App Attacks: State, Data, Asset, and Code Vulnerabilities and Countermeasures

145

R EFERENCES 1. Wikipedia (2008), “Sutton’s Law,” http://en.wikipedia.org/wiki/Sutton%27s_law 2. YouTube (2008), “YouTube Search: Sonny Hack,” http://www.youtube.com/results?search_query=sonny+hack&search_type= 3. Armor Games (2008), “Sonny,” http://armorgames.com/play/505/sonny 4. RadarFTW (2005), “The Truth About Radar,” http://daoc.catacombs.com/forum.cfm?ThreadKey=511&DefMessage=1031585&forum=DAOCMainForum 5. sarzamineiran (2008), “SWAT 4 Aimbot/Wallhack/Radar Cheat,” http://www.youtube.com/watch?v=tsO_2KR-vbk 6. Smik3r (2008), “TF2 Hacks Aimbot NoSpread ArtificialAiming.net Scout Ownage,” http://www.youtube.com/watch?v=LWVqtzK0zf4 7. M. Anka (2007), “POKE,” http://codefromthe70s.org/poke.asp 8. A. Portnoy, A. Rizvi-Santiago (2008), “Reverse-Engineering Dynamic Languages,” http://dvlabs.tippingpoint.com/pub/aportnoy/RECON2008-PortnoySantiago.pdf 9. M. Martin (2008), “CCP Plays Down EVE Online Source Code Leak,” http://www.gamesindustry.biz/articles/ccp-plays-down-eve-online-source-code-leak 10. Eyebeam R&D (2006), “OGLE: The OpenGLExtractor,” http://ogle.eyebeamresearch.org/ 11. gbatemp.net (2006), “New Trainer: Metroid Prime Hunters (+4),” http://gbatemp.net/index.php?s=23f5870b73924be42c7c7a26a1de1a3f&showtopic=34050 12. 4 color rebellion/Mitch (2006), “Warning: Incoming MPH Cheating,” http://www.4colorrebellion.com/archives/2006/06/30/warning-incoming-mph-cheating/ 13. M. Nelson (2007), “Xbox LIVE Account Sharing and Gamesave Tampering (Don’t Do It),” http://majornelson.com/archive/2007/10/30/Xbox-LIVE-account-sharing-and-Gamesave-tamperingdont-do-it.aspx 14. B. Kuchera (2007), “Microsoft Tries to Stamp Out Cheating, Hurts Enthusiast Sports Gamers Instead,” http://arstechnica.com/journals/thumbs.ars/2007/05/16/microsoft-tries-to-stamp-out-cheating-hurtsenthusiast-sports-gamers-instead 15. Wikipedia (2008), “Wallhacking,” http://en.wikipedia.org/wiki/Wallhack 16. mr hoodie lol (2007), “Gears of War Hacked,” http://forums.maxconsole.net/showthread.php?t=45086 17. J. Ransom-Wiley (2007), “PSP Downgrader: 3.03 to 1.50 in 8 Simple Steps,” http://www.joystiq.com/2007/01/30/psp-downgrader-3-03-to-1-50-in-8-simple-steps/

15

Bots and Player Aids

he next stage of cheating beyond wallhacks, ESP, and radar is to use this knowledge to augment player performance. After all, once you are playing a game on a computer, it is a fairly small step to program the computer to play the game on your behalf.

T

Game players have always used tools to help them play better, whether the tools are legal or not. Bridge has its hand-ranking systems; blackjack has its basic strategy1; and chess and go have endless volumes of analysis. Interesting borderline cases exist, such as card counting where players use their memory to improve their performance in a game—a tactic that some consider legal and other people view as cheating.

I S I T “H ELP ”

OR

I S I T C HEATING ?

When do strategy and analytic aids cross over into cheating? When an individual person is no longer setting the strategy or making a decision, but the game play is driven by a machine or a team of people colluding together. The problem with fighting player aids is that they are separate from the game and are therefore essentially impossible to detect. There are tons of solvers for the very popular numeric puzzle game, Sudoku; the only way to even consider detecting a solver is to capture the precise timing and order that a player enters numbers into the game state array—both of which can be faked as well. Online poker faces a similar problem. Programmers are building increasingly sophisticated programs that can play a reasonably strong game of poker (in fact, the Polaris Pokerbot won the 2008 Man vs. Machine Poker Championship2). These automated play tools don’t actually need to perform optimally to succeed; they simply need to outperform the majority of players in the majority of hands for the majority of money—poker farming anyone?

146

Chapter 15 Bots and Player Aids

147

Automated poker play strikes at the very heart of the online poker industry. If players believe that they are not playing with other people (and they are losing), the industry could be in real trouble. There have been several largely unsuccessful experiments with using the skill game business model with first person shooters. These types of games are particularly vulnerable to botting and if one of these services ever takes off, it would be interesting to see how long or successfully they would be able to keep botters at bay. Even traditional chess is not immune. Chess computers have been around for years. However, in a recent case in India, a chess player was caught getting advice from a partner with a chess computer and a Bluetooth connection3, resulting in suggestions that future tournaments should be played in Faraday cages. Some games directly support tools for automating portions of game play, but as a feature, not as a cheat. These macros range from simple playback systems that repeat sequences of key strokes to highly elaborate scripting languages. Game developers become concerned when these tools are too successful at game play either when they undermine competition between players or allow totally automated game play (for example, the Glider4 tool automates play for World of Warcraft and is currently the subject of a major lawsuit about the legality of such third-party tools5). Automated game play can be disruptive to other players or can be used to over-efficiently exploit the game’s economy (see Chapter 22 on gold farming). In many cases, the only real violation of the game rules is the fact of these game automation tools’ existence. They are not cheating or exploiting actual game systems, but simply using a computer to play the game instead of a person. In practice, player aids and macros are very difficult to detect because they are not manipulating the game, only automating game play. Either the game operator has to try to detect the player aid application (which doesn’t need to even be on the same computer) or the macro program or else they need to detect automated play—unfortunately, this is often little different than the behavior of a highly skilled player. Some programs do more than play the game well by the rules. They take the next step and cheat. Welcome to the world of aimbots and other bots. A simple bot doesn’t really need to cheat. It can capture display information and use the same data to determine its strategy and directly drive the mouse and keyboard or controller. However, computer actions and reactions are far faster than a player’s and therefore the bot can perform much better (even without elaborate artificial intelligence programming). More sophisticated bots combine wallhack, radar, ESP, and memory editors with some AI programming and automated controls to play much better than a human. Some even replace the game client entirely. Aimbots can find targets and

148

Protecting Games: A Security Handbook for Game Developers and Publishers

DEMONSTRATING A HACK AND THE YOUTUBE THREAT I am lazy. When someone contacts me about their game and wants to discuss security, the first thing I do is check out YouTube. Often, I’ll find wonderful demonstrations and tutorials of hacks for the game. Almost as often, I’ll see examples of what are pretty clearly “fake hacks” that are used to lure players to disclose their account information and passwords. These fake hacks use memory editors and other tools, like Photoshop, to con players by altering the game display on one computer. The clearest way to demonstrate a cheat properly is to show the game display of more than one player at the same time, ideally from two different monitors. The reason for the separate displays is to show that other players are actually seeing the results of the cheat and that it is really having an impact on game play. If this can’t be done, it is actually better to show the perspective of the “cheating victim” rather than the cheater—especially for attacks that involve interaction with other players or the game environment like dupe attacks and speed hacks. This is not true for state disclosure hacks like wallhacks, ESP, aimbots, and radar.

shoot better and faster than any player6. Call of Duty added an interesting feature called “kill cam” that showed the final five seconds of a victim’s life from the perspective of the killer after the victim was killed. Because tools like aimbots and radar cause players to take rather unnatural actions (such as tracking targets through walls), the kill cam was seen as an interesting anti-cheating tool—allowing victims to detect their cheating killers from beyond the grave (or after the fight)7. Automated play, combined with full state information and the ability to simply edit the game’s state, can make for a devastating attack on a game. Real-time games, like first person shooters, MMOs, and real-time strategy games, are all particularly vulnerable to these attacks. After all, any game that favors speed over thought is always going to favor a computer player. Bots and game cheat tools are not just for fun; they are a serious business. Glider, the rather well-known automation tool for World of Warcraft, has an Elite version that costs $5 per month or $60 for a lifetime subscription8. There are several bots for NCsoft’s Lineage 2 that are sold on a subscription basis, including L2Walker and L2Superman that has a $7.50 per month subscription9 with upgrades that add features and keep the tool ahead of the game’s cheat detection system (for comparison, it costs $15 per month for a Lineage 2 subscription).

Chapter 15 Bots and Player Aids

149

Finally, it should be noted that serious game cheats have moved their hack tools off of the computer. In Korea, commercial game hack tools use a smart USB token that includes its own processor. This computer looks like a keyboard, mouse, and video card (all of which can use USB interfaces), but processes the screen and game data totally passively (at least from the PC’s perspective) to implement game cheats. Some of these devices cost as much as $20010. This type of bot could actually be used very effectively against console games as well because it relies purely on information from the game’s display and inputs from the game’s peripherals. Just as cybercrime has moved towards advanced infrastructures and custom products that put conventional IT security companies at a huge disadvantage, criminals, gold farmers, and other serious exploiters targeting games are already developing their own tools and methodologies to attack games more profitably. Advances in virtualization from Xen and VMware are going to make creating very advanced and virtually undetectable client-cheating tools easy.

CAPTCHA S : D ISTINGUISHING P LAYERS

FROM

P ROGRAMS

CAPTCHA (Completely Automated Turing Test To Tell Computers and Humans Apart) is a widely used computer security technique that attempts to distinguish people from computers11. CAPTCHAs are mostly used for login and registration authentication, but some game developers have moved to using CAPTCHAs to stop bots. CAPTCHAs work by providing words, math equations, or images that are difficult for a computer to solve, but easy for a person to distinguish. The problem has grown as hackers have gotten better, and the CAPTCHAs have become more difficult for even a human to use. On a troubling personal note, a regular reader of my blog, PlayNoEvil (http://www.playnoevil.com/), was unable to submit comments for a while because my CAPTCHA system relied on colors. However, he has impaired vision. (Fortunately, I could solve this problem by changing the system’s settings.) I am having more and more difficulty getting through some of these systems myself. Personally, I’ve found it more than a bit ironic that interactive entertainment systems like games are even considering using CAPTCHAs, as this seems to be the ultimate admission of a design flaw. Once you are in the situation where security is a serious problem (as opposed to my blog), CAPTCHAs tend to fall apart quickly. The simplest answer for an attacker is to hire someone to process the CAPTCHA or do so herself. Yes, you can outsource CAPTCHA processing for $1 for 1,000 CAPTCHAs and look at what you get12 (from B. Kreb’s “Web Fraud 2.0: Thwarting Anti-Spam Defenses”):

150

Protecting Games: A Security Handbook for Game Developers and Publishers

The quality of recognition is between 90 percent and 95 percent. We support two-word CAPTCHAs. We support mixed upper- and lowercase CAPTCHAs. The volume that we can accept at any moment from new clients is between 500,000 to 1 million CAPTCHAs in day. We automatically issue refunds for any CAPTCHAs that were solved in more than 60 seconds. We automatically return money for solved CAPTCHAs that include incorrect text. There is also the option to buy software that processes CAPTCHAs automatically13.

C HEAT D ETECTION S YSTEMS The dominant anti-cheating tools today are cheat detection systems. The most well-known commercial products are Even Balance’s PunkBuster, nProtect’s GameGuard, and AhnLab’s HackShield. Some game developers have chosen to create their own tools including Valve Software’s Valve Anti-Cheat (VAC) and Blizzard’s Warden. There are also several independent open source security projects. The single biggest advantage that these systems have is that they can be added to a game anytime, even after it has been completed. In fact, Electronic Arts contracted with Even Balance to add PunkBuster to its MMO Ultima Online nine years after the game launched, although it appears that the project was eventually put on hold14. Cheat detection systems are essentially operated as a service. They need to be constantly updated to identify the latest threats as well as to protect themselves against hackers who choose to target the security tools directly. In general, all of these tools work the same way. There is a security client installed with the game client and a central security server that runs in parallel with the game client and game server. The Security Client creates a client ID and may use hardware-fingerprinting techniques to identify the player’s computer. This client ID is used to register the game client/security client pair with both the game server and the security server. The security client has two major functions: It is responsible for analyzing the player computer to identify any sort of threat (such as the radar, aimbot, and other hacks, and, in some cases, key-loggers and other forms of malicious code that can target the game). It is also responsible for reporting its status regularly to both the

Chapter 15 Bots and Player Aids

151

FIGURE 15.1 Cheat detection system architecture

game client and security server—sending a “heart beat” signal that it is still alive and operating correctly (Note: The blind authentication technique discussed in Chapter 14 can also be used to verify the integrity of the security client.) In general, cheat detection systems use the same techniques as anti-virus programs: They scan the entire memory space of the computer looking for items of interest. Instead of looking for worms or virus-infected programs, cheat detection systems look for signatures associated with known cheat applications or malicious libraries loaded in memory. If a cheat signature is identified, the security client sends a notification to the game client and security server. The security client can use whitelist and blacklist techniques to help with the forensic analysis of potential cheat applications. Whitelists are known programs that have been determined to not affect the security of the game and blacklisted programs are known cheating applications. The problem, of course, is that there are hundreds of thousands, if not millions, of different programs that may be installed on a user computer. Also, game cheat writers, just like virus authors, use techniques to hide their applications and obscure their signatures. World of Warcraft hackers used the Sony BMG Rootkit to hide their attacks from Warden within weeks of the disclosure of the rootkit15. It would also be possible for these cheat detection applications to profile all of the programs installed on the player’s computer by scanning the PC’s hard drive, even if the programs are not apparently being run while the game is being played. Because these security clients often report back information about the applications on the player computer, there are some rather serious concerns about privacy that may create legal risks for the game operator or security firm. Most of the security clients do not return actual information back about the applications that are

152

Protecting Games: A Security Handbook for Game Developers and Publishers

running on a PC, but rather send a hash value signature back to the central server to minimize their privacy impact. Whether this is legally sufficient or not is a different question. Hackers do not actually need to stop the security client’s operation, however. Instead, they can spoof the security client’s communications to report that everything is okay to the game client and the security server, even if the security client has been shut down or has detected a hack. The game client is a particular target for this sort of attack: It is rarely designed with security in mind and the security client API (application programming interface—the connection between the two applications) was likely integrated into the game client very late in the development process. Because many games support player-to-player communications, it may be possible for a hacker to send data that looks like a cheat as part of regular game communications to trigger a penalty for another player16. After all, cheaters just want to win, they do not care how they do so. It is important that the security server and game server coordinate their actions. After all, the cheater is really targeting the game client and game server and if the cheater can somehow separate the security systems from the game systems, the cheater will win, even if cheats are detected. Thus, it is critical that the client ID is shared and used effectively by both servers. A cheat detection system is more than its technological platform; it is really a service. The security client is not a preemptive security tool; it only can profile known cheats, just like an anti-virus product. Unlike anti-virus tools, however, which can cover everyone with a Windows or OSX operating system, cheat signatures are almost totally game specific. Game publishers need to contract with the security provider for each game for as long as they want the system to be kept upto-date. For some licensed MMOs, the licensee also has to pay for the service. (I think this is a bad business practice; adequate security should be included as part of any licensing agreement.) The operational activities for a cheat detection system service are as follows: Surveillance—The CDS provider monitors cheater forums and hacker sites, as well as getting information from the game operator about the latest cheats. However, the criminalization of game hacking has meant that some of the most damaging cheats are not being used by many people. This implies that the most damaging cheats will not be found by this sort of surveillance. Anti-virus companies are having the same problem with viruses, worms, and other malicious code being targeted at single companies or even individuals. Collection—Once a new cheat is identified, the CDS provider needs to acquire a copy. Both surveillance and collection require CDS provider personnel to be able to infiltrate cheating communities.

Chapter 15 Bots and Player Aids

153

Analysis—The CDS provider will disassemble, analyze, and determine the risks for the cheat, whether it actually works, how the cheater attempted to protect it, and how to construct the best signature to identify the cheat. Signature Development—The CDS provider may either create a simple new signature to be added to the CDS security client signature database or require an update to the security client to add a new scanning capability. Distribution and Update —The CDS provider must then update the security clients and/or their signature databases. It is important for the CDS provider to ensure that all active security clients are fully updated. The distribution, updates, and operation of the security client all have an impact on network bandwidth and available CPU resources at the player computer. There have been a number of complaints, some quite serious, about the performance impact of these tools on the performance of the game that the tool is intended to protect. One real weakness of the cheat detection system strategy is that it is rarely used to improve the game, just patch over weaknesses. Once a cheat is identified, it should also be assigned to the game’s ongoing support team to see if there is a way to actually solve the underlying problem that allows the cheat. Some skill game operators use cheat detection systems. As skill games, online gambling, and other games-for-money businesses grow, this security strategy will likely fail. Highly targeted, limited distribution cheats can be very profitable in these games, just as they are for gold farmers. As attackers get more sophisticated, the cost for an effective CDS will rise. This may force game operators to bring the service in-house. The most costly portions of the CDS are surveillance and collection. It may make sense for game operators to carry out these activities themselves and only consider outsourcing the remaining CDS functions: analysis, signature development, and distribution. Philosophically, the cheat detection system strategy essentially encourages developer laziness. Rather than avoiding cheating problems from the beginning of the game development process (and, at this point in the evolution of the game industry, many of the cheating problems are quite well known), game developers simply leave cheating and the whole host of operational and support issues to those people unlucky enough to still be on the project after the game is completed. Lack of life cycle engineering and accountability for games is quite costly. The cheat detection system strategy does work very well as a “belt and suspenders” tool to augment strong security engineering throughout the design process.

154

Protecting Games: A Security Handbook for Game Developers and Publishers

As a final note, I have seen a couple of Asian online games experimenting with bundling traditional security software with their game security tools. This is an intriguing idea, as game businesses are hit hard and in their pocketbooks by keyloggers and other viruses and malware.

R EFERENCES 1. M. Shackleford (2008), “How to Play Blackjack,” http://wizardofodds.com/blackjack 2. Stoxpoker.com (2008), “The Second Man vs. Machine Poker Championship,” http://www.stoxpoker.com/man_vs_machine.html 3. Australian IT (2006), Bluetooth Chess Cheat Caught,” http://www.australianit.news.com.au/story/0,24897,20981444-15306,00.html 4. MDY Industries, LLC (2008), “Glider FAQ,” http://www.mmoglider.com/FAQ.aspx 5. B. Duranske (2008), “World of Warcraft Glider Litigation Update: Final Briefing On Blizzard’s Request for Injunction Filed,” http://virtuallyblind.com/2008/08/27/glider-blizzard-response-injunction/ 6. Smik3r (2008), “TF2 Hacks Aimbot NoSpread ArtificialAiming.net Scout Ownage,” http://www.youtube.com/watch?v=LWVqtzK0zf4 7. G. Kasavin (2003), “Call of Duty Review,” http://www.gamespot.com/pc/action/callofduty/review.html (page 2) 8. MDY Industries, LLC (2008), “Subscribe to Glider Elite,” http://www.mmoglider.com/Subscribe.aspx 9. GoGYGO (2008), “GoGYGO Products,” http://www.gogygo.com/products.php 10. Cho J. (2006), “Mouse Plays When Gamer’s Away,” http://search.hankooki.com/times/times_view.php?term=online+game++&path=hankooki3/times/ lpage/culture/200603/kt2006032619493065520.htm&media=kt 11. Carnegie Mellon University (2008), “What Is a CAPTCHA?,” http://recaptcha.net/captcha.html 12. B. Krebs (2008), “Web Fraud 2.0: Thwarting Anti-Spam Defenses,” http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_defeating_anti-sp.html 13. CL Auto Posting Tool (2008), “CL Auto Posting Tool,” http://www.adsoncraigs.com/ 14. Electronic Arts (2006), “PunkBuster on Hold,” http://www.uo.com/cgi-bin/newstools.pl?Article=9619 15. R. Lemos (2005), “World of Warcraft Hackers Using Sony BMG Rootkit,” http://www.securityfocus.com/brief/34 16. Pansemuckl (2005), “The Unerring PunkBuster...,” http://forum.netcoders.cc/announcements/14061-unerring-punkbuster.html

16

Network Attacks: Timing Attacks, Standbying, Bridging, and Race Conditions

he Internet is like the Wild West. Totally untamed and dangerous, we are all told. Hackers, thieves, and criminals lurk around every corner. No one seems to have told a lot of game developers, as they regularly leave their online games wide open to all sorts of attacks.

T

Network attacks target game applications from their network interface. Once again, attackers benefit from the habit of developers to start with a standalone, single-player game and then add online play as a feature. Building a safe online game requires a level of formality about time, transactions, and interactions that most programmers are not used to. Consoles and MMOs are the main targets. Typically, PC games are attacked more directly through the game application.

ACID, D UPES ,

AND

SQL A TTACKS

Games are transactional systems. Unfortunately, game developers often fail to build their games on a foundation of well-constructed transactions and attackers regularly exploit these poor implementations. Even simple stock market games can be vulnerable. Market games are very popular with aspiring investors and the genre has grown to encompass everything from celebrities to fashion and even the U.S. Congress1. Trading is an easy game mechanic to understand and reasonably easy to implement. Developers need to be careful, as CNBC found out with its “Million Dollar Portfolio Challenge” in 2007 where players determined that they could post virtual stock trades after the real market had closed. The technique was fairly simple—they entered their trades before the stock market closed at 4PM Eastern Time, but did not execute them until after 4PM when the companies announced their earnings and their stock prices jumped in after hours trading. If the stock didn’t pop, no problem, the player simply didn’t complete the order 2. The scandal was

155

156

Protecting Games: A Security Handbook for Game Developers and Publishers

eventually exposed and caused a delay in awarding the top prize and caused a black eye for what would have otherwise been a very successful promotion. These types of race conditions can also happen within a PC game, as Lionhead found with its Fable 2 pub games3. Mostly, however, these attacks occur over networks. Virtually every online game has been hit by some sort of dupe attack. Players use the game’s interface and controls to induce the game to duplicate virtual items or currency and can cause great difficulty for the game operator. Recently, the Philippine licensee of Ragnarok Online, Level Up!, had to roll back the game (costing players two weeks of game progress and leading the company to provide two weeks of extra game time and other bonuses in compensation) because of a severe dupe problem that resulted in nearly 500 percent inflation of the game’s currency 4. Dupe attacks are often caused by race conditions in different parts of the game application. Different parts of the application are updated at different times or “trust” data from unreliable, intermediate sources (often internal variables or cached information). In the CNBC case, it appears that permission to make an order was determined at the time the player chose the stock ticker rather than when they selected the number of shares and clicked the Order button. World of Warcraft apparently had a similar race condition in which a player could transfer all of her gold from one account to another, log off quickly, and then log back in again and the gold would still be in the first account5. The solution to dupe attacks comes from applying good database design principles to game transactions. ACID is an acronym for the properties necessary to ensure that transactions are properly processed 6: Atomicity—Either an entire set of transaction tasks occur or none do. Consistency—No bad data will be introduced into the system due to a transaction. Isolation—State or date affected by the transaction will not be visible to entities outside of the transaction until it is complete (or rolled back). Durability—Once completed, a transaction will persist. In MMOs, the server is typically the authoritative source for information and so there is a single database which, conceptually, makes implementing proper transactions easy. For peer-to-peer games, however, ensuring data consistency over a network can be very challenging from a technical perspective. It is also important to provide a clear player display and control process to handle rollbacks to a previous state and other problems.

Chapter 16 Network Attacks: Timing Attacks, Standbying, Bridging, and Race Conditions

157

So far, we’ve discussed action-based networking and state-based networking. Some MMO developers have chosen a truly dangerous approach that lies between the two: SQL-based networking. SQL (Structured Query Language) is a widely used standard protocol for communicating with a database. I’ve heard anecdotally that there is at least one MMO that ships with a full SQL client embedded in the game client. Because SQL communicates directly with the database that stores the game state, SQL commands can be used to directly read, write, and edit anything about the game. In some sense, this is even worse than a state-based system. A malicious user with full SQL access to a database can create new items or player attributes or pretty much anything they can imagine. Some web applications are vulnerable to SQL injection7 attacks—where players can somehow bypass the server application to communicate directly with the database. There are tools and programming techniques to stop such attacks from happening by stopping web users from entering any SQL commands via the web interface. However, building a game that uses SQL for networking is almost impossible to protect because the player client application relies on posting player actions or state updates via SQL queries. The best way to protect against these attacks is to insert a proxy between the game client and database server that converts game actions into SQL queries that the database, server-side data store, or game application can process.

D EFENSIVE P ROXIES Proxies are a powerful security tool that, if implemented properly, truly provide “defense in depth.” A communications proxy takes incoming communication packets or streams and parses and validates its structure and content independent of the state of the underlying application. A proxy answers the question: “Is this a well-formed communication?” Once processed by the proxy, the game application determines if the message is appropriate to the game’s current state and that the message is from a valid source. Only if an incoming message is validated by both the communications proxy and the game application will the game application proceed and process the player action. Standard Internet firewalls and packet inspection tools are, essentially, generic proxies that can parse and validate a wide range of web protocols. The art of proxy design is to manage the trade-off between the functions of the proxy and the actual application (see Figure 16.1). Some proxy systems go an extra step and actually reformat incoming message data into an alternate format for internal processing to further isolate external from internal communications.

158

Protecting Games: A Security Handbook for Game Developers and Publishers

FIGURE 16.1 Defensive proxies

Proxies can also handle access control, source authentication, and they are a natural location to implement logging. Proxy servers can be implemented in front of game servers instead of, or as a complement to, conventional firewalls. Where possible, they should be designed to be stateless so that they can be replicated using low-cost real or virtual servers. A stateless proxy server design will make it easier for the game service to scale efficiently. An implicit advantage of a deep, powerful proxy design is that having a separate software application (and, ideally, a different development team) will likely tighten the implementation and security of the overall system’s interfaces by both groups. Problems such as buffer overflows and malformed messages will have at least two independent chances of being caught, as the two development teams should each be looking at the incoming data separately (simply replicating the message parsing code in the two systems will undo this security benefit, of course). Defensive proxies can be part of the architecture for peer-to-peer systems as well as client-server applications. They can provide performance as well as security benefits and can help cleanly decouple the networking subsystem from the core game application (local player actions could be processed through the proxy service as well so that the game engine has a single interface for all players).

H ACKER P ROXIES A hacker proxy is typically a computer that sits between the target platform (PC or console) and the remote server or other player platforms that is used as a means to attack games on their network interface. It is possible for the hacker proxy to be an

Chapter 16 Network Attacks: Timing Attacks, Standbying, Bridging, and Race Conditions

159

additional application on a player’s PC that intercepts and alters network packets before they are sent to other players. Another hacker proxy technique is to simply insert a switch that disconnects the player’s PC or game console from the network8. A consistent, underlying problem with networked games is that game designers often assume that they have secure, reliable communications. However, it is sometimes still possible to attack a game even if its communications are fully encrypted. Halo 2 on the Xbox console had some serious proxy problems, as discussed in an entertaining and detailed article at GamesFirst! by Shawn Rider 9: The bridger is the center of power in a cheating setup. [The cheaters] use a fairly complex method to run the Xbox’s Internet connection through a personal computer. On the computer [the cheaters] use [commercial] software, including the popular Zone Alarm firewall program, to control what computers the Xbox can connect to. By using some tricky methods, [the cheaters] can completely control the hosting of the game. They can determine who can connect, they can lag out [induce sufficient network delays so that the player will be knocked out of the game] especially good players on the opposing team, and, most importantly, they facilitate the “standby” technique. The standby cheat is simple: Cheaters with cable or DSL modems will push the “standby” button on the modem [or in software on the bridger computer] to force everyone else in the game to be presented with the blue screen of “waiting.” During this time, the gamer who initiated the standby can move in the game world freely while all of the other players stand frozen in time. The cheater can blow away a flag holder, for example, return the flag, [and] then press his modem’s standby button again, resuming the game. It is easier to understand hacker proxies in terms of chess. Players A and B are playing chess online. The game developers didn’t really bother to understand the rules of the game, so they just implemented the game as a big blob of code and game state. The easiest way to network this game is to duplicate the game state over the network (here is where developers can fiddle with object synchronization and differential object synchronization, prediction, and all sorts of clever things). So, basically when Player A makes a move, the updated game board is sent to Player B. Then B moves (or, if they are playing Real-Time Chess, they both move) and the game board objects are synchronized. Viola—a “network” game. This is also why it is so easy to build these “network games” ... and why it is so easy to hack them.

160

Protecting Games: A Security Handbook for Game Developers and Publishers

This attack works by abusing the multitude of problems here. Evil Player B wants an edge. So, what she does is stop listening to Player A for a while and simply run the game (she can even add in suitably “helpful” moves on Player A’s behalf to get the results she wants). Once Player B gets the game “just right,” she reconnects to the network and sends the game to Player A... whose computer simply accepts the data. The problem is that with anything but the most trivial game, it is impossible for the receiving game object blob to validate the new game object blob against any form of rules. Think of looking at a chess game if you were allowed to move all of your pieces at once, but you are only able to do validation of the game board at Time 1 versus the game board at Time 2. There are two types of hacker proxies: White Box Proxy—A proxy application that can peer into the game data packets and edit them, control when they are sent, reorder them, as well as pass data on to either the local game instance or the remote game instances. This is the most powerful form of proxy and may not always be practical (for example, if hardware and cryptographic security work effectively on a game console, it may not be possible to edit packets or re-order them—your mileage may vary). Black Box Proxy—A proxy application that cannot peer into the contents of game data packets. A black box proxy can control game data packets externally: controlling when a packet is sent, the order in which packets are sent, whether packets are sent multiple times (replay), and whether a packet is sent at all. This kind of proxy can sometimes be implemented by simply pressing the Standby button on a cable modem, as noted previously. This type of proxy cannot really be prevented, but should be detectable and addressed in the game’s design and networking system. Hacker proxies can be used to implement a wide range of attacks on a game, purely from its network communications: Speed Hack—There are three types of speed hacks that work by accelerating or decelerating the pace of network communications. This can sometimes be implemented even if network communications are encrypted: Message Overflow/Speed Hacks—By driving messages/commands at a pace that is not expected by the remote system, a malicious user can perform substantially faster than permitted 10, 11.

Chapter 16 Network Attacks: Timing Attacks, Standbying, Bridging, and Race Conditions

161

Lazy Communications/Telepathy—By slowing the apparent response and reception of messages by the recipient application, a malicious player can effectively “predict” incoming data and respond at an advantage. Late Bet—Wagers are a sure thing when you already know the outcome. Gambling cheaters target all sorts of games to figure out how to place a bet after the event has occurred. Late bet scams have shown up in “The Sting,” a real racing scandal in New York12, and at roulette, craps, and other casino games. Standbying: Lag/Resynch Attack—An extreme version of the lazy communications attack. It works by dropping the malicious computer out of the network/ game and proceeding with game play disconnected. Then the malicious player reconnects in a preferred state13, 14. The length of time that a game will tolerate a dropped or slow connection can vary widely. This attack is predicated on trusting data from a remote player. Typically, it requires a state-based resynchronization model. Packet Hack—The raw manipulation of network packets. It is the network equivalent of a memory editor. Good network manipulation tools will correct checksums, sequence numbers, and other non-secure message integrity features. Encryption might not always stop packet hacks, because some cryptographic modes allow linear changes to encrypted data to be undetected. This type of manipulation can be very effective if the hackers know what the underlying text is and what they wish it to be without breaking the encryption function. Bridging—A special, more common, case of a packet hack. It works by using a proxy, such as a firewall, to pretend to be a different server or computer. Bridging is typically done as part of another attack because the specified address, often a company server, is considered trusted by the client application. Game Injection—A wholesale synchronization attack. The hacker can save the state of a favorite game with the right number and type of players and push its state out to the other players. Note: This may require a proxy to facilitate the attack. Depending on the networking architecture, a malicious player could use a proxy to “push” a preferred game state to an accomplice who would then propagate it to the other players. Abandonment—Some players simply abandon a game to avoid losing or hurting their ranking or status. They break the connection to the remote players or server or simply turn off the platform. The challenge for the game operator and other players is to determine the difference between “natural disasters” and poor sportsmanship (this issue is discussed further in Chapter 20).

162

Protecting Games: A Security Handbook for Game Developers and Publishers

Well-constructed encryption and authentication systems at the network layer can stop many, but not all, of these attacks. Standbying and lazy communications, for example, do not require manipulating the content of the message packets. These attacks only require control of the physical and electronic network to slow down or stop the delivery of game data packets. Server-based games can address these problems by having a formal, unforgiving model for controlling network time, as discussed in the next section. At a low level, IT GlobalSecure’s SecurePlay Strobe and Act protocols were designed to fight many of these attacks for both client-server and peer-to-peer games. These protocols work by creating a logical network “tick” that all game players share. Essentially, the protocols require the players to all commit to their next action or state update and then reveal them as if they were playing an elaborate sequence of the rock-paper-scissors game: // Strobe Protocol Mi = {i,Ti = T(Ai)}; // each player i selects an action Ai and computes its // irreversible transform and builds a message package Mi Send(Mi); // each player sends its identity and the computed transform // to all of the other players Store Mi; // each player stores all incoming Mis from the other players if (all non-internal Mi’s received) { SendInternal {i,Ai}; // after receiving the transforms from all of the other players, // each player i sends his or her action to the others } for each {i,Ai} { // for each received action Extract (Ti from Mi); // extract the previously stored transform for that player’s action if (T(Ai) != Ti) then { do exception processing;} else { store (i,Ai) }; // accumulate players’ actions for network tick } if (all player actions received) { process all {i,Ai};

Chapter 16 Network Attacks: Timing Attacks, Standbying, Bridging, and Race Conditions

163

// once all player actions are received and validated, update the game } repeat; // start next game tick

The protocol is structured so that all players contribute to updating the game (either actions or state) without knowing the activities of the other players. Therefore, it is impossible for a player to manipulate lag or benefit from prior knowledge of other player’s actions. The Act protocol extends this concept by integrating the collaborative random number generation process discussed in Chapter 13. There is a definite performance impact from using this protocol; it requires two sequential messages to update the game’s state from each player. This can be compensated for in the game’s design or by pipelining a parallel set of strobe protocol instances (see secureplay.com for additional information).

T HINKING A BOUT N ETWORK T IME : A CT , B UT V ERIFY Minute by minute and day by day, we tend not to think too much about time. It flows along unnoticed. Unfortunately, as you read previously, neglecting time can cause real cheating problems for game developers. Network lag and race conditions are often hard to test or replicate and cause problems for all sorts of general business applications. The default strategy for handling time has been to make it seem as smooth as possible for players. Errors are usually assumed to be accidental, not malicious. The trusted client problem often includes a substantial trusted client time component. Developers need to take a more formal view of time and create a systematic “time policy,” as follows: How out of synch should players be allowed to become? Where does a game roll back to? How do you present this to players? What are the consequences of a dropped connection? These questions and more must be addressed consciously by game designers or they will be handled implicitly in the hands of individual game programmers. Key factors that need to be considered include: Delay—What is the time interval after which the game must stop? Interaction—How “old” can an incoming action be and still be accepted by other players? Actions from remote players are always associated with some time in the past. How does the game play system integrate old remote actions with new local actions and somehow synchronize state between the players?

164

Protecting Games: A Security Handbook for Game Developers and Publishers

Tick—What is the basic “tick” of the game’s network clock? In some sense, there needs to be a notion of “minimum duration” during which each player can take only one set of actions. If the game’s internal temporal model for “ticking” and player interaction does not correspond with the game’s network model, game play can break down. Interference—The interactions of different player actions need to have reasonable and understandable consequences based on each player’s notion of state and action. Display Prediction and State Confusion—The interactions of the player display or presentation and the actual game state can become complicated by poor predictions by the game presentation engine and the actual actions of the remote player. Does a player have a shot available at a target? What does a maneuver really look like relative to another player? This is an important issue to ensure that real-time games feel responsive and that the display is accurate and smooth. These issues, obviously, only exist with real-time games. Turn-based games can be paused easily and rolled back to the last action. Although the trend in game design has been towards real-time games, another advantage of turn-based games is that they can be “played by mail” and so players do not have to reconnect in real time to resume play in case of an interruption. This makes game abandonment as well as many other network attacks almost irrelevant. It is possible to decompose players’ actions over networks into a series of discrete phases for which game developers need to define clear time policy choices: Decision—The instant an internal player’s action enters the game play engine. Commitment—The instant before which the action will be automatically aborted/changed to address new incoming information that was not available when the player made a decision. Success—The instant after which the action has some probability of resolving successfully. Resolution—The instant when the action triggers consequences in the game play engine. Conclusion—The instant after which the player is allowed to choose a next action. This is a sample time policy model. Different models are certainly applicable to different games and networking strategies. The key factor for a successful network game experience for players from both a game play and security perspective is to

Chapter 16 Network Attacks: Timing Attacks, Standbying, Bridging, and Race Conditions

165

systematically address how game state will be updated, how players’ actions will be resolved through the games rules, and how the game’s display will communicate state in a networked environment.

S ECURING T IME Handling time is probably the most difficult problem for multi-player and networked games. It collides with hard problems from computer programming for handling concurrency and simply handling lag and latency over wide area networks. Securely managing time in a game is aggravated by cheating players who are more than willing to abuse game time, network communications, and synchronization services to their own ends. Turn-based gaming is an easy answer, but it does not meet the needs of many developers who want to fully tap the power of gaming platforms and modern broadband communications.

R EFERENCES 1. A. Varney (2007), “Offbeat Sports Games,” http://www.escapistmagazine.com/articles/view/issues/issue_78/446-Offbeat-Sports-Games 2. T. Catts (2007), “CNBC’s Easy Money,” http://www.businessweek.com/bwdaily/dnflash/content/jun2007/db20070607_007145.htm 3. R. Miller (2008), “Fable 2 Pub Games Exploit Will Make You Very, Very Rich,” http://www.joystiq.com/2008/08/15/fable-2-pub-games-exploit-will-make-you-very-very-rich/ 4. Level Up (2008), “RF Online Economy Fix,” http://risingforce.levelupgames.ph/news_main_view.html?rid=155 5. Ryan A. (2006), “Players Found New Golden Exploit for WoW,” http://mmorpg.qj.net/Players-found-new-golden-exploit-for-WoW/pg/49/aid/75854 6. Wikipedia (2008), “ACID,” http://en.wikipedia.org/wiki/ACID 7. Wikipedia (2008), “SQL Injection,” http://en.wikipedia.org/wiki/SQL_injection 8. MFCrow (2008), “Xbox Live Lag Switch: JRG 11.5,” http://www.youtube.com/watch?v=jvIyAkQ49Qo&NR=1 9. S. Rider (2006), “A Bridge Too Far: The World of Halo 2 Cheating,” http://gamesfirst.com/?id=1342 10. T. Bramwell (2004), “Blizzard Bans World of Warcraft Cheaters,” http://www.gamesindustry.biz/content_page.php?aid=5800 11. CCP Wrangler (2007), “Rapid Fire Exploit,” http://myeve.eve-online.com/ingameboard.asp?a=topic&threadID=657524 12. J. Drape (2002), “HORSE RACING; Pick-Six Fix Admitted As Giuliani Steps In,” http://query.nytimes.com/gst/fullpage.html?res=9905E5DC1439F932A15752C1A9649C8B63 13. B. Kuchera (2006), “Saint’s Row Receives Quite the Patch,” http://arstechnica.com/journals/thumbs.ars/2006/10/31/ 14. N. Doerr (2007), “Insomniac Sets Up a Ban Policy for Resistance,” http://www.ps3fanboy.com/2007/04/27/insomniac-sets-up-a-ban-policy-for-resistance/

17

Game Design and Security

ame design is the foundation of a fun, successful, entertaining or educational game. One of the keys to making a great game is ensuring that the game design—the rules and framework for how the game is played—keeps the players playing by the game’s rules. Unfortunately, computer games can hide weak designs behind pretty graphics, stunning animations, and elaborate plots. At least, until there is more than one player involved.

G

This discussion of game design is not about creating a great or even a good game; it is about avoiding design traps that undermine the intent of the game design. There may be cases where it is desirable or necessary to build a game with a known security weakness. It is essential that when this choice is made, a game designer does so consciously with an appreciation for the consequences. Ideally, security constraints to stop cheating, piracy, and other forms of game abuse should spur game designers to create successful games that also avoid the problems or turn security problems into game play features.

D ESIGN E XPLOITS One category of game security problems should be entirely avoidable: exploits of game design flaws. As introduced in Chapter 13, a game design exploit is a weakness in the game design if it gives players who use it a substantial, unintended advantage over other players. Game design flaws are often the result of the rush to complete games and lack of focus on game design analysis. Within days of the launch of Age of Conan, for example, players with Demonologist characters found a way to reach the top level in the game with just four days of game play 1. Economic systems, combat, movement, and other game systems too often have serious flaws that arise from focusing on the graphics and the cosmetic “chrome” of gaming rather than proper design and thorough game play testing. Although analysis is useful, play testing using paper and pencil may be the best way to exercise game systems cost effectively and eliminate the worst design exploits. 166

Chapter 17 Game Design and Security

167

C OLLUSION Collusion, first discussed in Chapter 13, is one of the more pernicious problems for computer games. When players are playing online, there is no way to prevent players from communicating and coordinating their plans, especially if they do so outside the game. Simply making collusion against the rules, as Svenska Spel found at great expense with its flawed lottery game2, is futile. The easy answer, making collusion a legal game mechanic—cooperation—is a great option when it is possible. There are other design strategies. In-game betrayal is very effective. CCP Games’ space-based MMO EVE Online has numerous instances of players backstabbing each other. Cooperation is allowed, even encouraged, but the game’s deep economic systems mean that betrayal can be very profitable or just fun. In one example among many, a player set up a bank inside the game that a large number of other players used for a while earning interest and making loans—that is, until the bank operator ran off with the equivalent of $170,000 in virtual currency 3. Cooperation and competition dictated by the game mechanics is also an option. The Austrian card game, Königrufen (“The Calling of a King”)4, has an elaborate bidding system, similar to that in Bridge. The bids themselves determine player partnerships—with some hands being played solo and others with partnerships based on calling a king by suit, hence the game’s name. If you are the player with the called king, you are the partner of the declarer for that hand. Many games incorporate wagering as a game mechanic. For these games, unrestricted side wagers for or against any player can mitigate the benefits of collusion. The only two games that I have seen that use this approach are my favorite casual board game called “The Really Nasty Horse Racing Game” 5 and the dice game craps. Online poker services claim to detect collusion through extensive statistical analysis of game play and patterns. However, the weakness of online identity and the financial benefits of serious collusion make the effectiveness of such techniques suspect. Game operators can try to use platform fingerprinting, IP address information, account information, bank information, and basically anything else they can find to create enough identity information to look for teams of players. Without strong identity, any statistical analysis is going to be pretty weak. Even if you can somehow detect a player team, the real question becomes what to do about them.

T RIVIA G AMES Trivia games are terribly popular and terribly difficult to secure as online games. First, trivia games as a category are inherently weak in the world of modern computers and the Internet. Players can collude, research answers, and, most dangerously, build a catalog of questions.

168

Protecting Games: A Security Handbook for Game Developers and Publishers

The cataloging problem is expensive to fight. Basically, every time the game is played, the questions that are asked (and their answers, if revealed) can be added by malicious players to a catalog list that can be used by their comrades. Economics works against the game developers: It costs the developer more money to create each question than it does for cheaters to catalog the answers. Ideally, from a security perspective, a question should be used only once. In practice, questions will need to be used many times. How does one try to balance this essential inconsistency between security and business? Here are some ideas: Don’t Reveal Individual Answers—Only report the bare minimum amount of information to the players—whether they won or lost, got to the next level, won a prize, and so on—without revealing the individual answers to the questions. This does not prevent cataloging of questions, but it makes it more difficult to collect the answers. Cost of Entry—Create a cost to enter the game. This often creates a legal problem for trivia games where they can potentially become gambling games instead of contests for fun (see Chapter 31). Strong Identity—If the game operators can create a strong identification of each individual player, they can fight multiple entries by individual players. This does not stop team collusion. Split Question Pool—Once a player answers a question wrong (whether the answer is revealed or not), she is switched to a question pool that is not used for the “big prize.” This reduces the number of “important” questions that can be revealed to any given player. Analytics—It is important to track the number of times a question has been asked and how many times it has been answered correctly. Also, it would be valuable to track changes in any statistical changes in the likelihood that a player answers a question correctly, because this could be a good indicator of cataloging (if the observed daily rate for answering a question correctly jumps from 20 percent to 60 percent, the question has likely been compromised). Honeypot Questions—These questions are asked more often (not drawn from the ordinary random pool) and are used to help model cataloging efforts by players (by determining how quickly questions become “easy” for players). The question may be extraordinarily difficult or even have a wrong answer to help identify anomalous player behavior. False Game—The way that players actually progress through a contest is not tied to their answers in the trivia game, but based on some other criteria. For example, simply entering a trivia game during a day (or achieving a modest,

Chapter 17 Game Design and Security

169

minimum score) may be enough to be allowed to progress to a final drawing for an advergame. Multiple Tiers—Divide the game into multiple tiers that act as filters to reduce the number of questions that are exposed to a large game-playing population. Non-Traditional Question Presentation Methods—Use voice, imagery, and other alternative means to convey the questions to players. This makes cataloging harder; it does not prevent it. It may also drive up the cost to create each question, which can have a net negative impact on the game’s security. Face-to-Face Play—Switch players to a face-to-face competition after preliminary, online game rounds (this is essentially another multiple-tier system). The potential embarrassment of not being able to use a catalog or other cheating methods in public can act as an additional deterrent. Trivia games are essentially a resource battle between cheaters and developers. The developers want to reduce the effective cost of creating each question and maximizing the number of times that the question can be reused, whereas the attacker wants to acquire the answers to the questions as cheaply as possible. As noted earlier, from an ideal security perspective, each question should be used only once and the sequence of questions should work to rapidly filter players away from victory and exposing unused questions.

W ORD , N UMBER ,

AND

P UZZLE G AMES

Brain Age is a very successful and popular “self-improvement” game and it has a number of online imitators. However, games that rely on basic mathematical, word, or other puzzles are not very likely to work in an online multi-player, competitive environment. It is too easy to cheat at these games and impossible to protect them. The Scrabble Word Finder7 provides its users with all of those wonderful sevenletter words and the longest words based on their current tiles (the tool apparently does not do any analysis of the current game board looking for highest scores, but Scrabble players tend to do better by cycling their hand as quickly as possible). Scrabble Word Finder is an example of a “strong play” tool. These tools do not give optimal strategies or perfect play techniques, but rather are “good enough” to allow their users to defeat most opponents. Because there are opportunities to play more game sessions online than there are to play games face-to-face, these strong play tools are good enough to give a player that uses them a substantial advantage. The tool doesn’t necessarily need to find the actual answer, but needs to merely present a reduced set of good options that a human player can use to gain an advantage.

170

Protecting Games: A Security Handbook for Game Developers and Publishers

Word, number, and puzzle games are generically vulnerable to “catalog attacks,” where cheaters basically exhaust all of the game play options to find good or best solutions. A catalog attack can even work with a physics-based game if the range of player choices is sufficiently restricted. Basically, the catalog tool would rapidly model a whole series of different player choices and then pick the best options or further refine possible player choices based on the best results from the simulation. This may be substantially faster than attempting to algorithmically solve the game. A cheater may find it faster to search for good solutions by trial and error rather than attempting to derive an optimal, closed solution to the game. This is especially true if the game’s interface effectively restricts the granularity of player choices (for example, restricting distance to multiples of a unit value such as inches or direction to a multiple of two degrees).

A LGORITHMIC G AMES , P HYSICS F LAWS ,

AND

P REDICTABLE B EHAVIOR

Many games are based on underlying mathematical models. In the real world, modeling golf, darts, and pool would require including a massive number of variables and complex interactions. For golf they are daunting—the speed of the swing, the precise angle and position that the club hits the ball, the wind, the terrain from where the ball is launched, and certainly the topography of where the ball lands. Other games, such as blackjack and roulette, rely on the random deal of cards or the spin of a wheel to make them interesting. In some cases, there is less complexity than people thought. For decades, players have been counting cards in blackjack to try (mostly unsuccessfully) to get an advantage over casinos. There were no strong card counting systems until the publication of Dr. Edward Thorp’s “Beat the Dealer,” which described a counting scheme that would give the player a mathematical advantage over the table7. Initially, the casino industry was very concerned by Dr. Thorp’s technique. However, the casinos found that most players actually couldn’t follow the system—although many players tried and tried and tried and led to huge growth in blackjack revenues for casinos. Unlike most human players, computers can easily implement such counting systems (as can highly coordinated blackjack teams) and so are banned from casinos. Modern computers have been able to solve roulette and have been used covertly by cheaters in casinos. Interestingly, courts in the UK and Spain have ruled that such devices are not illegal (just as card counting isn’t illegal), and it is up to casinos to detect and control their use8.

Chapter 17 Game Design and Security

171

For standard computer games based on physics, the thousands of variables found in real life are commonly collapsed into a very simple mathematical model. Algorithmic attacks basically target the underlying mathematical model for the game to find the best solution. Even if the attacker doesn’t know the precise model that the game is using, physics is physics and is not a secret. By carefully running experiments and monitoring results, the attacker can reverse-engineer the game’s underlying mathematical model, or at the very least, the most sensitive parameters affecting an action’s outcome. Skill games based on “turn-based physics games” seem to be growing in popularity —darts, pool, pinball, pachinko, and, of course, golf. Because the games have a business model tied to competition based on the skill of the game’s players, there is a real concern that players might be able to use automated tools to optimize their play (after all, these games are really math problems and not based directly on human physical skill) and win money unfairly from the game operator or other players. How much risk is there in solving a math problem? Although the developers may hide the math behind a pretty interface, the players are really providing inputs to solve a mathematical equation. And, because the game is turn-based, a motivated cheater (or math student) should have plenty of time to figure out the best solution. One option is to put the mathematical model on the game server. This seems obvious, except that there are a number of game services today that still download the game’s mathematical model in the game client, Also, running the algorithms on a central server doesn’t necessarily stop cheating. A mathematically inclined cheater can still derive a “model of the model” on the server by accumulating data from a number of game plays, looking at the results, and developing a better and better local version of the server game model. For linear equations, if there are N unknown constants, it is going to take me N turns to fully determine the equations. Physics equations aren’t always linear, but the idea is the same. After all, the underlying physics models are available in high school or college textbooks; the cheater just doesn’t know how much they have been “tweaked” by the game’s developers. A studious mathematician can work to isolate variables. Such a person could run experiments in the game world to make it easier to determine the underlying model (making short putts on different types of terrain to figure out the game’s friction model, taking multiple shots in different directions to the wind to determine the windage model, and so on). And, the model just has to be good enough to provide superior play; it does not need to be perfect.

172

Protecting Games: A Security Handbook for Game Developers and Publishers

RANDOMIZE THINGS

A

BIT

Wind, different types of grass, and any other randomized feature can make building the model harder for the hacker. Unfortunately, random means the game is no longer a pure skill game (at least in some jurisdictions—see Chapter 31 on skill games). Developers may also “randomize things a bit” by altering the player’s input to prevent analysis and to fight botting. Randomness can also creep into the mathematical models unintentionally. The complexity of running the simulation in a general-purpose microprocessor, including its specific resource loading and timing, and even the behavior of the rendering engine, may introduce elements of chance into determining the game’s outcome. USE ABSTRACTION Although game developers talk about using physics to increase realism, the models in the game are still abstract equations. Altering game mechanics to utilize abstraction may create interesting and dramatic game play, particularly for player-toplayer interaction, which can often become very uninteresting (as seen by the button mashing of many fighting games). In addition to randomizing inputs to physical systems, abstract game mechanics can include table-driven results driven either by random inputs or by the interaction of discrete choices by multiple players (such as a combat result table based on cross referencing the tactics chosen by each player). LIMITATIONS

OF

ALGORITHMIC GAMES

Physics and algorithmically driven games have a lot of powerful advantages, but developers should use caution if cheating is a potential issue for the game: Physics Is Not Secure—The combination of the bouncing ball and spinning wheel is a fairly complicated mathematical model to attack (as seen in roulette). Most games that use physics are not nearly so sophisticated. Anything That Can be Modeled Will Be Automated—As discussed in Chapter 15, players will use whatever tools it takes to develop a superior or dominant strategy. The strategy doesn’t have to be perfect to give them a substantial edge. Unauthorized State Information Is Dangerous—Players don’t really need to see the spinning ball at a roulette table except as a confidence-building measure that the casino isn’t cheating. Similarly, in online games, it is risky to load data to a client that is not necessary. Of course, unlike roulette, computer gamers have exact state information, so it is much less difficult to collect the data needed to attack the system.

Chapter 17 Game Design and Security

173

Convenience Is a Trap—How would one stop this problem for roulette? Close wagering once the ball has been thrown. More bets placed means more money for the casino, but the ritual of roulette would work, and the game would be much more secure, if no bets were allowed once the ball was thrown. Security shortcuts are routine in computer games, yet they regularly cause problems. Some game models are fairly trivial. A number of MMO’s use “static spawning” techniques to generate monsters for players to fight. This technique, where specific monsters appear at specific locations at specific times, has led to a number of annoying problems. Players “camp” to await the spawn of certain high-value creatures. Gold farmers create highly efficient routes from monster to monster to maximize their productivity. In these cases, some randomization could be quite helpful—varying the location, nature, and even the activities of the creatures could undermine many abusive play tactics—and it might even make the game world appear more “real.” BOTS ARE HARD

TO

FIGHT

Anyone who has watched the tremendous deviousness of casino cheats would be reluctant to trust in the ability of game operators to detect data collection and analysis systems such as those used for roulette and card counting. These players are not breaking the rules of the game’s play, but rather the “house rules” of the game operator. The game’s internal security mechanisms don’t protect it from these attackers. Recently, many developers have embraced physics as a way of efficiently enriching game play. As with any sort of procedural system, developers should be careful: Things that are easy to make are often easy to break.

S PEED , T WITCH , T IMING ,

AND

P IXEL P RECISION

One of the wonderful things that a computer can do is run really fast with amazing graphics—and game developers have been pushing the limits of both as long as computers have been around. Games that rely on reflexes and precision work fairly well for single-player and social games. Once multiple players are competing over a network, however, the game is a perfect candidate for botting, as previously discussed in Chapter 15. A game like Guitar Hero, which uses a plastic guitar as a controller or Dance Dance Revolution, which uses a floor pad, or the Audition casual dancing MMO that uses the keyboard, are all at their core timing games. For a computer, it is easy to control simple button press indicators and, of course, the computer has very precise timing.

174

Protecting Games: A Security Handbook for Game Developers and Publishers

The main reason that console games that rely on dexterity have had limited problems with cheats is that they are played alone or socially with friends. This is not true online. There have been a number of attacks that have targeted Audition9. Because the game relies on timed button press in response to a simple pattern (left, right, up, down), it is a perfect candidate for automation. Although Audition can be attacked with a simulated keyboard, many first person shooters (FPS) are effectively attacked with a simulated mouse. Just as with physics games, there may be real game play (and security) advantages to looking at abstraction as a way to mitigate automation attacks. For an FPS, no matter how accurately the player’s mouse is positioned, the player’s accuracy could be a function of her speed, length of time in a given position, whether she is crouching and hiding from enemy fire, and so on. True reflex games, like Audition and Guitar Hero, may need to have their mechanics reconsidered for online play. For Guitar Hero, a webcam might be helpful. High-speed games also have problems because of network lag. The delay between player actions and game responses often force game developers to pre-position information that allows a player to cheat. A terribly simple option is simply to force players to slow down. One of the reasons for pre-positioning data is that players can and do move quickly in these games, which requires art assets to be loaded very quickly. However, this problem is really a function of game design choices that are quite abstract. Players are, generally, nearly invulnerable in these games and are often blessed with near infinite ammunition. They are hard to hit and, when hit, take very little damage, and, when they take damage, it has very little impact on their in-game abilities. This is not realistic. If you look at the TV news or film of real combat, people move very carefully when other folks are shooting at them. They do not want to die. Simply making games more lethal would eliminate a lot of the insane level of activity that is routine in games today and a source of security problems. Also in real life, if you are waiting in ambush for someone, you have a huge advantage. A defender who is dug in, has her ranges set, and targets selected will wipe out any fool who comes sprinting in front of her. Another option is to turn ambushes and other “quick” events into mini-games or even cut-scenes. It would be interesting to use “reaction shots,” where we see the face of our protagonist as she enters a room or turns a corner just as we are used to seeing in film, as a way to avoid pre-loading data as well as to accurately capture the disadvantage and risk of such actions. A more technical option could be to pre-load multiple data sets and only activate one at the time, when needed.

Chapter 17 Game Design and Security

S TRONG

AND

D OMINANT S TRATEGIES

AND

175

D EEP G AME P LAY

There are too many computer games that have strong or dominant strategies. This makes game play tedious and is ideally suited for automation, because the hacker doesn’t even need to think about how to play, just how fast to shoot and in which direction. Although many games provide a multitude of choices, most seem to have little impact. The stereotype of button-mashing for console games or madly clicking in MMOs is all too accurate. Recently, Age of Conan attempted to enliven MMO combat with a system that takes facing and direction of blows into account. It remains to be seen whether this will affect player satisfaction (or scripting or automation or other cheating problems). The “grind” that most players criticize about online games makes automation very tempting. First person shooters that rely on speed and reflexes rather than tactics are also vulnerable to optimal or strong strategies. Most hackers are not good artificial intelligence programmers, so if a game has deep strategic play, it is less likely to be vulnerable to automation attacks.

P OWER OF P EOPLE : R OCK -P APER -S CISSORS , P OKER , P SYCHOLOGY

AND THE

W ORLD

OF

“Interesting choices” are often associated with interesting games. It is not just that the player can make interesting choices, but his foes can as well. Tarn and Zach Adams’ Dwarf Fortress10 is a very highly regarded recent game. One of the things that makes it interesting is the richness of interactions and actions between the player and the game environment. The game is a study in innovative, deep procedural game design—so much so, that players delight in recounting their game play experiences whether successful or catastrophic failures11. Hampus Söderström’s Toribash12 has redefined fighting games with its combination of rag-doll physics with simultaneous non-real-time turns. Toribash takes physics-based game play in a new direction because players are interacting with each other’s choices, which can have virtually infinite variety and complexity. Strategic depth is very hard for a computer or player to fake or cheat (without a lot of effort—chess programs play very well after all). Games don’t need to be complex to thwart automated play. Rock-paper-scissors embodies the simple principle that every play can be trumped and every play choice has value. Poker succeeds as a meaningful game because of the psychological interaction of the players. Exception games, like Magic: The Gathering13, are interesting for players and hard to automate. Every card in the game changes the rules or breaks the rules in a different way. Cards can work in combination with each other and the game is continually being updated.

176

Protecting Games: A Security Handbook for Game Developers and Publishers

In some sense, this is the best news of all—a well-designed game with “good” game play is much less likely to have security problems than a poorly designed one.

G AME P LAY P ATTERNS : C OMBAT D EVOLVED Although there may be many kinds of games, there are actually very few actual game-play patterns. The patterns discussed here are not thematic (science fiction, fantasy, and historical) or genre-related (first person shooter, real-time strategy, MMO), but are the essential ways that players interact with each other and with the game’s rules. Many of the common game-play patterns that are used in computer games are an artifact of the history of the industry. Single-player computer games typically use an “Action, Randomized Resolve” game-play pattern. Traditional board and card games tend to sequence players since simultaneous play is difficult while some of these play patterns may be better suited for computer play. Each pattern has its advantages and disadvantages and, of course, different security characteristics: Action, Deterministic Resolve (Chess and Battleship)—Taking turns and moving or acting. A very simple pattern; if there are N potential actions, there are N possible outcomes. Strategy comes from choices of actions and when to take them. Random Input, Action (Backgammon and Many Family Games)—“Roll your dice and move your piece” and “draw a card”). A very simple variant on the Action, Deterministic Resolve pattern where randomization constrains player choices. Action, Randomized Resolve (Most Combat Results Table Games and Many Computer Games)—The combat results table (CRT) is a legacy of many board war games. Basically, a player takes an action, rolls a die, and the result is determined by cross-referencing the action with the die roll. The total number of possible outcomes is the product of the number of actions (A) and distinct die roll values (D) (AxD). As with all randomized results, the question is always how to generate fair random events. Player 1 Action, Player 2 Response, Deterministic Resolve (Magic: The Gathering)—Players take turns to act, but the results of their actions can be modified by the actions of other players. Usually, this pattern is associated with a finite resource that constrains actions and responses such as available cards or “action points” that are consumed and slowly replenished. Generally, Action, Response patterns modify only the initial action; they do not introduce new game-play elements.

Chapter 17 Game Design and Security

177

Player 1 Action, Response Chain (Each Player, Deterministic Resolve) (Magic: The Gathering, War card game)—See Player 1 Action, Player 2 Response, Deterministic Resolve. Players can continue to take additional contingent actions until they are unable to continue or choose to conserve resources for subsequent use. Action, Response, Randomized Resolve (Some War Games)—Players take turns to act. The main effect of responses by other is to alter the initial action. Simultaneous (Player 1 Action, Player 2 Action), Deterministic Resolve (Ace of Aces, Toribash)—Simultaneous action is well suited to computer-based play, but it has not been used very often, mainly, I think, because it is not familiar from either single-player computer games or multi-player traditional games (because of difficulties in implementation). The security challenge with this pattern is to ensure actual “logical simultaneity.” One of the interesting aspects of simultaneous action is that there is typically a rich range of outcomes that naturally flow from the intersection of player choices. Simultaneous Action (Player 1 Action, Player 2 Action), Randomized Resolve—See Simultaneous (Player 1 Action, Player 2 Action), Deterministic Resolve. Randomization perturbs a basic result from the intersection of player choices. Action(t), Deterministic Resolve (“Physics”-Based Games, Guitar Hero)— The interest in these games comes from the procedural complexity of physical systems. The problem, as noted previously, is that complex physical systems can be modeled very well by a computer. They are also very vulnerable to automation. The most common error for real-time game systems is neglecting to consider the “reset” time to recharge between actions, particularly when the games are implemented over a network. Action(t), Random Resolve (“Real-Time”-Based Games)—See the previous bullet. These games really replace the abstract model for a physical system with a set of game mechanics that are time based (and still are often tied to physical system modeling). Often, the only real random element is a damage model. Player 1 Action(t1), Player 2 Action(t2), Deterministic Resolve (Baseball and Other Real-Time Reflex Games)—Typically, these games are associated with physical systems. The main change is the potential for complex interactions due to the actions of multiple players. Network lag and time models can sometimes be abused to “see” remote player actions before they happen, as discussed previously. Player 1 Action(t1), Player 2 Action(t2), Random Resolve—See Player 1 Action(t1), Player 2 Action(t2), Deterministic.

178

Protecting Games: A Security Handbook for Game Developers and Publishers

Deterministic Update(t)—Timed or triggered events, often seen in physics games such as a dropping ball or weight or a timed elevator. The only concern with this pattern is whether the update to the game’s state is supposed to be hidden from the player(s). Random Update(t)—See Deterministic Update(t). Randomization is used to add complexity to the game experience. One could argue that some artificial intelligence systems for automated opponents are an example of this type of system, because their behavior is not quite deterministic. Definitions: Action—A decision and corresponding game play made by a game player (or piece of artificial intelligence code taking on the role of a player) that impacts the game. Actions can also be “secret”—where they are made at some time and not revealed until later. Response—A decision and corresponding game play made by a game player (or piece of artificial intelligence code taking on the role of a player) that impacts the game that is dependent on the action of another player. Simultaneous Action—A decision and corresponding game play made by two or more game players (or piece of artificial intelligence code taking on the role of a player) that impacts the game and occurs at the same time. Resolve—The basic change to the game state that is a result of one or more player’s actions, the pre-existing game state, the game rules, and any randomized resolution. This can be thought of the closing element of a “mini-game” or “gamelet,” basic player interaction, or rules that cause a change to the game state. Randomized Resolve—When the resolve is affected by some sort of randomization. Given a set of actions, responses, and game state, a situation where there can be more than one possible resulting game state. Deterministic Resolve—The opposite of randomized resolve. When there is only one possible resulting game state given a prior game state, player’s actions, and responses. Action(Time)—Player actions that occur at a specific time for “real-time” games. Action1(time1), Action2(time2)—A real-time interaction model that allows rich interaction between players. Random Input—This type of randomization is very typical for traditional games. These patterns can be assembled into a wide range of higher-level game-play patterns.

Chapter 17 Game Design and Security

D ESIGNING

FOR THE

179

M EDIUM

Computers are an amazing tool for gaming that we are just beginning to explore. The reemergence of multi-player gaming has provided opportunities for new types of game play. There are so many game types, business models, and ways to interact that it is impossible to neatly categorize computer games today. The key is to truly understand the implications of the entire design and its environment. Eye of Judgment for the PlayStation 3 took a paper collectible card game and combined it with a video camera to create a new form of game play. Unfortunately, the developers seem to have neglected to consider the possibility that players would scan cards and undermine the core collectible element of the game14. For many years, online games were metered by the minute, just as online access was. This meant “problems” like botting and gold farming weren’t nearly as big an issue, because the game operator could recover their costs better and ill-gotten profits were constrained by much higher connection costs. Game protection can take advantage of innovations in game design. True replay systems as found in the Prince of Persia series with its ability to rewind time or replay an entire game as with Halo 3’s Saved Films feature can serve both the game designer’s vision and become tools to strengthen security by helping detect cheaters. Careful consideration of security in game design may be the single most effective use of security resources. Many security problems can be avoided entirely through good design practices. Conversely, bad design choices may make good security impossible or exorbitantly expensive.

R EFERENCES 1. ferv0r (2008), “There Are Level 80s in Age of Conan,” http://ferv0r.wordpress.com/2008/05/25/there-are-level-80s-in-age-of-conan/ 2. J. Savage (2007), “Game Stopped After Cheat Allegations,” http://www.thelocal.se/6788/20070324/ 3. P. Pollack (2006), “Online “Banker” Runs Off with Cash, Avatars Cry Foul,” http://arstechnica.com/news.ars/post/20060828-7605.html 4. J. McLeod (2008), “Königrufen,” http://www.pagat.com/tarot/koenig.html 5. Upstarts! (1982),“The Really Nasty Horse Racing Game” 6. S. Fallon (2007), “Confessions of an Online Scrabble Cheat,” http://www.wired.com/culture/lifestyle/magazine/16-01/ps_scrabulous 7. E. Thorp (1962), “Beat the Dealer” 8. P. Lewis (2006), “For Sale for £1,000: Gadget that Means You’ll Never Lose at Roulette Again,” http://www.guardian.co.uk/uk/2006/sep/16/gambling.mainsection

180

Protecting Games: A Security Handbook for Game Developers and Publishers

9. YouTube (2008), “Audition Bot—61 Search Results,” http://www.youtube.com/results?search_query=audition+bots&page=2 10. T. Adams and Z. Adams (2008), “Dwarf Fortress,” http://www.bay12games.com/dwarves/ 11. B. Harris (2006), “Dubious Quality—Dwarf Fortress Articles,” http://dubiousquality.blogspot.com/2006/09/dwarf-fortress-1-prepare-for-journey.html 12. H. Söderström (2006), “Toribash,” http://www.toribash.com/ 13. R. Garfield (1993), “Magic: The Gathering” 14. M. McWhertor (2007), “Eye of Judgment Card Creating Easier Than Expected?,” http://kotaku.com/gaming/rumor/eye-of-judgment-card-creating-easier-than-expected-315714.php

18

Case Study: High-Score Security

igh-score systems are one of the easiest and quickest ways to turn a singleplayer game into a social game. Achievements, ranks, ladders, and badges can substantially increase interest in a game as well as foster player community, as seen at game portals like Kongregate. A high-score table is also an easy way to get marketing data, encourage repeat visitors, and otherwise make the game “stickier” than simply having a downloadable or simple online game. Many businesses are taking this strategy to the next level by adding contests into the mix, sometimes with large prizes.

H C HEATING

IN

H IGH -S CORE G AMES

Sadly, cheating rears its head the moment you introduce this new feature. Players will even cheat to get a high-score on an obscure website for the simplest Flash game. These cheaters can undo all of your community and interest building efforts—who wants to play a game with cheaters? Why compete for a high score if you don’t think you’ll have a reasonable shot at winning? Although this can be a nuisance for an independent game developer who is simply showing off a new game, the problem becomes more serious for an advergame or a commercial game. The reputation of the sponsor, site operator, and developer’s business and real money are at stake. Things get even more serious when high scores are used for a tournament or if there are contests or prizes involved. (Note: If you are running a contest, sweepstakes, or a game with prizes, please consult a lawyer. Even skill-based games are regulated in the US and internationally; See Chapter 31). Deloitte Touche Tohmatsu in the Netherlands did a study tracking 40 Dutch advergames over a four-month period. The games, almost all in Flash, were plagued by high-score hacks and leader board griefing (posting crude, malicious, or defamatory names as high scorers). Several of the marketing campaigns had to be shortened or canceled because of these security problems1; see2 for the English translation. 181

182

Protecting Games: A Security Handbook for Game Developers and Publishers

High-score games are typically developed as single-player games that then post the high score to a server. If the games are played in a browser, the security sandbox used by Flash, Shockwave (Director), Java applets, and DHTML/JavaScript put real limits on both the computing power of the game as well as its ability to access the resources of the computer. Often, the high-score feature is added as an afterthought. Because the high-score feature is often added late in the development process, it is often a separate part of the game architecture. As a consequence, making attacks on the “score” is easier. The security adage “if security is easy to add, it is easy to remove” shows itself again. What is the simplest attack on a high score? You simply send a better score to the high-score server, ignoring the game entirely.

E NCRYPTION , D IGITAL S IGNATURES ,

AND

H ASH F UNCTIONS

The first solution that game developers typically consider is to use encryption, hash functions, or digital signatures to send the score to the server. Often, the available SSL library that is used is the one provided by the browser. Although an encrypted or signed data stream on the network-side is safe, the problem is that the game attacker controls the computer. This is not the security assumption that most encryption and digital signature systems are designed for (including SSL). In a typical game scenario, the bad guy is an insider. So, how do you protect against him? Let’s quickly review the available tools. Hash functions are mathematical functions that, when applied to a data stream, produce a hash word. A good hash function, like MD5 or SHA1, will produce a wildly different hash word from even a slightly different data stream. An encryption function uses an encryption key to transform a data stream into a protected stream. Often, there is a decryption function that will use the decryption key to transform a protected stream back into the data stream. In private key or symmetric key cryptography, the encryption key and decryption key are the same. In public key or asymmetric cryptography, the encryption key and decryption key are different, and one is publicly known. Finally, a digital signature function combines a hash function with a public key encryption system to create a protected hash word. Another cryptographic tool is a cryptographic checksum. Cryptographic checksums are similar to digital signatures but they use private key cryptography to create a protected hash word. Computationally, private key cryptographic functions tend to be a lot faster than public key cryptography.

Chapter 18 Case Study: High-Score Security

183

What’s the problem with SSL? SSL, like any other external library or application extension (accessed as a DLL or SO), has a local interface that can easily be intercepted and modified. This form of interceptor is often provided with a software development kit (SDK) as a debugging tool or it can be implemented as a custom proxy. The interceptor allows data (in this case, the game’s high score) to be freely grabbed before the high score is sent to the encryption library. Because the attacker can get between the game and the encryption function, she can modify the game data or even send arbitrary data to the security library: Encrypted “bad data” is still bad. The fact that SSL is an external library is its biggest weakness compared to an internally implemented encryption (or digital signature) function. An internal encryption function will need to be attacked and reverse-engineered using a lowerlevel debugger. This is not impossible, just more difficult. The problem moves from one of API interception to reverse engineering. The same is true if the hacker wants to directly modify a game’s high score or internal state. In order to attack the game’s state, the hacker would require a memory editor (see Chapter 14). Most memory edit or map tools are pretty simple. They actually don’t reverse-engineer the game; they simply watch the player run the game for a while and isolate the changes that have occurred to the application’s memory footprint. The player then can read out the memory map of the game (or any other application). The technique is both generic and effective for virtually any application that runs locally on a specific computer. Attackers do not necessarily have to attack the game’s score. Instead, they can alter the score table constants associated with different actions that get rewarded. For example, if destroying a common item is supposed to be worth 25 points, the hacker could change that value to 2,500 in the game’s code image. Then, each time the player destroys the item, they will get 100 times the score they would have earned legally. A limited countermeasure for this type of attack is to post a vector that passes the components of the high score to the server: number of hits on item 1, number of hits on item 2, and so on. Encrypting or authenticating this value may make attacks a bit more difficult. The problem with encryption, digital signatures, digital rights management (DRM), and other software security solutions is that they are inherently weak against a local attacker because the hacker has control over its platform. Simple client-side security does not work because, for games, client software should be assumed to be malicious. After all of these concerns, if you still choose to use encryption or other clientside solution, do not hardwire the algorithm’s key. Hardwired keys are no different from a security perspective than a hash function. Instead, use the key as a part of a “challenge/response” system and send the client a key in real time to encrypt the score (see Chapter 14).

184

Protecting Games: A Security Handbook for Game Developers and Publishers

Digital signatures are of no more value than a regular encryption system, in this scenario. A signature is only useful if the data that it signs is accurate. By downloading the key in real time, the attacker will need to reverse-engineer your game. However, do not be fooled; if the hackers are motivated, they will succeed. These solutions are only a minimal fix to the simplest of attacks. If you choose to use internal cryptography, you will face the general problem of a lack of “interoperable” cryptography. Basically, it is necessary to find cryptographic libraries that work both with your client software (Flash and so on) as well as with the backend (often PHP). Using a common cryptographic algorithm suite does not guarantee interoperability and isolating implementation inconsistencies can be very difficult.

C LIENT -S ERVER O PTION The next option is to implement the game in an actual client-server configuration. This design approach implements the game as if the part that is downloaded is a “smart terminal” that provides a nice interface to a game that is hosted on the server—the same approach used in many MMOs. This actually stops most forms of client-side cheating, but potentially has a large overall system impact compared to a simple, downloaded client. After all, instead of a single download (a natural for web servers), the server needs to interactively update the game based on player actions. This will likely add many additional connections to the server as well as additional processing on the server. Also, the developers often have completed the game as a standalone game and the high-score system is added later, making this architecture change impractical in many cases.

R ANDOMLY S EEDED C LIENT A hybrid solution is to implement a randomly seeded client. This approach works for games that are not entirely deterministic (see the discussion of puzzles, later in this chapter). Basically, there are two components to this approach. First, the server periodically and non-deterministically updates the client’s random seed. Second, the client must store a log of the game action/state sequences. If players claim a high score, they need to post the game logs and validate that the game session could have yielded the posted high scores. This system is probably not adequate for contests, but is probably good enough for free, pure-entertainment games.

Chapter 18 Case Study: High-Score Security

185

A LTERNATIVE H IGH -S CORE S TRATEGIES There are other options to ensure the integrity of the game service, if not the high score itself: Buddy High Scores—Instead of having a single high-score system, it is possible to divide high scores into geographic, friends/social networks, and other ways to give more players a chance to earn a high score. A “buddy-high-score” system works well from a marketing point of view and makes cheating irrelevant (the benefit of cheating your friends is much lower than the ego reward of earning the high-score globally). Challenge/Response Score Posting—As noted previously, external encryption services are not effective in protecting against even a slightly motivated attacker. An internally implemented challenge/response system can be easily integrated with an existing game (in fact, we have a version for Flash and PHP at SecurePlay.com). As with many of these solutions, this approach is suitable for casual games, not for contests. Face-to-Face Competition—Depending on the business model being used, a local high score can be used as a gateway to face-to-face competition. The prospect of a face-to-face competition can be both a positive marketing tool and a substantial deterrent to cheating. Public humiliation is a powerful threat. False Games—Contests don’t need to have a truly functioning, public highscore system. Instead of using the game result and score for a contest, set a low, minimum threshold score to qualify for entry into a drawing. The benefits of cheating go way down, as any reasonably good player will be entered in the drawing (arguably, the game score gateway is simply a way to convince players that they should disclose their personal data to be entered into a drawing). Faux Multi-Player Gaming—It may be difficult and expensive to move the game onto the server and implement real client-server gaming. However, in some cases, it might be much easier to use other game players as “faux servers”—where the game and game state is coming from another player’s computer. This might be easier to implement, as platforms like Flash include object-replication tools. Basically, each game client runs two or more game instances: one instance that drives the local display and captures player actions and another instance that acts as a server engine for another, remote player. The players either use the central game server as a relay or communicate peerto-peer. There are numerous, tricky details to this approach, but it may be worthwhile for higher-value games where a developer does not want to move to true server-based gaming.

186

Protecting Games: A Security Handbook for Game Developers and Publishers

Implicit Score and Player Data Authentication—The game developer can include implicit features in the game design that are not “known” at all on the client, but can be checked only on the server. For example, a race may have a certain hardwired minimum time or certain delays that are implicit to the game design. These features can provide a way to detect illegitimate scores; however, these techniques are also very vulnerable to detection and analysis by a motivated foe. Replayable Game Logs—Traditional computer games are increasingly using true game-play logs that allow the game to be recorded and replayed. Although some lightweight browser languages like JavaScript and Java do not allow applications to store data on the platform, others like Flash do. Even without the ability to save a game, it is still possible to store a game log during play. If a player submits a suspect high score, the game server can then request the game to upload its full game log to be verified. Ideally, the game log should be able to be fed into another copy of the game and used to drive the game instead of the mouse, keyboard, or controller. This can be used to visually detect game anomalies, but is no guarantee against a serious cheater. The biggest challenge for protecting high-score games is not the lack of available options. Rather, the problem is that high scores are an afterthought in many of the games; this fact makes it difficult to add effective security features retroactively.

P UZZLES , S KILL -B ASED G AMES ,

AND

O THER D ETERMINISTIC G AMES

As discussed in Chapter 17, puzzles and games that have strong or dominant game play strategies or are dependent on physical skill are poor candidates for games with a high-score or competitive element because they are often automatable. Malicious players can create bots or support programs to have a superior game-play strategy, speed, or solve the puzzle optimally. These games are fine in “for fun” settings without high scores, but once high scores or multiple players are involved, they are often attacked. There are tools to detect bots or even try to discern the use of game aids, but it is ultimately impossible to distinguish between optimal play from a human and optimal play from a machine. Also, bots will be able to be hidden in a manner that is undetectable (see the sidebar in Chapter 13 on virtualization).

Chapter 18 Case Study: High-Score Security

187

I NAPPROPRIATE P LAYER H ANDLES The full discussion of griefing comes later (see Chapter 21). However, simple highscore games are beset by annoying at best, or disturbing at worst, inappropriate player handles associated with players’ high scores. Most high-score games let players choose how their name will appear on the high score list—their player handle. Unsurprisingly, many of these handles are obscene, insulting, or infringing on copyrights and trademarks. The problem is even worse if the high-score system has been hacked. I was told about a case where a bank had an online game which was hacked and the pranksters used the opportunity to mock the bank and its poor security practices via the compromised high-score table. Filters, notifications, and voting schemes can be used to cost-effectively remove inappropriate names. However, it is likely that any such system run by a company should include some level of human review. Contests do have a slight advantage, as inappropriate player handles can be grounds for disqualification.

S UMMARY High-score systems are a great way to build the popularity of your game. Unfortunately, cheating follows right behind. The problem may be simply a nuisance if the game is provided for entertainment purposes. In some cases, it may be better to forgo the advantages of a high-score system than deal with potential adverse consequences. Also, the level of threat against a game jumps dramatically once there is any sort of prize or cash involved. Sadly, it takes very little motivation to bring out the cheats and vandals.

R EFERENCES 1. Deloitte Touche Tohmatsu (2008), “Advergames op Grote Schaal Gehackt,” http://www.deloitte.com/dtt/press_release/0,1014,sid%253D13354%2526cid%253D202819,00.html 2. S. Davis (2008), “Serious Advergame Hacking Problems: Deloitte Touche Tohmatsu Netherlands Survey Findings,” http://www.playnoevil.com/serendipity/index.php?/archives/2107-Serious-AdvergameHacking-Problems-Deloitte-Touche-Tohmatsu-Netherlands-Survey-Findings.html

This page intentionally left blank

Part

IV

Social Subversion: From Griefing to Gold Farming and Beyond with Game Service Attacks In this part, you’ll find the following topics: Chapter 19, “Overview of Social Subversion” Chapter 20, “Competition, Tournaments, and Ranking Systems (and Their Abuse)” Chapter 21, “Griefing and Spam” Chapter 22, “Game Commerce: Virtual Items, Real Money Transactions, Gold Farming, Escorting, and Power-Leveling” Chapter 23, “To Ban or Not to Ban? Punishing Wayward Players”

189

19

Overview of Social Subversion

ou’ve made your game and designed it carefully. You’ve considered cheaters and hackers, avoided exploits and engine problems, and yet, after your game goes “live” online, everything falls to pieces.

Y

Welcome to the world of game service attacks.

Cheaters and hackers are increasingly attacking the “game around the game”— not the game itself, but the other features of the online service. These attacks violate the social norms and social context of the game and, often, its “terms of service.” Some people will call many of these activities cheating. The main difference between game service attacks and traditional cheating is that these attacks cannot be detected by the game itself as rule violations. They are slipperier and more difficult and costly to control and they rarely can be stopped completely. Most of these problems stem from weak identity and accountability—if no one knows who you are, there is nothing to stop you from behaving badly. Tournaments are growing rapidly in popularity. These services take basic highscore systems and add richer competition for multi-player games. Tournaments and various forms of in-game competition wrap a game with a lobby or matchmaking service and track game results. Just as players will cheat at a free Flash game to get a high score, they will abuse lobbies and competition services for their own purposes. Griefing and spam exploit communications systems as well as the rules of the game. Communications abuse ranges from commercial spam, in many cases for gold farming or other game commerce services, to verbal abuse, cyberbullying, and sexual harassment. Griefing players take advantage of game play systems, reputation systems, and, in some cases, the anti-griefing systems themselves that are put in place to handle customer complaints. Griefing behaviors can range from theft of other players’ assets or experience (ninja looting and kill stealing), to disrupting the game play of others (corpse camping), and exploits of game system quirks (spawn camping). Certain games allow players to create content, such as Second Life and IMVU, and, inevitably, players have found ways to abuse these services with attacks ranging from fairly standard griefing and abuse to denial of service attacks. 190

Chapter 19 Overview of Social Subversion

191

There are people with more time than money, and others with more money than time. In persistent games, this has resulted in unauthorized game commerce. Trading is a powerful social tool. Unfortunately for many game developers, players use in-game trading and gifting systems for real economic purposes. Gold farming is probably the most widely discussed of these problems (wherein players buy and sell virtual items and characters), but there are also outsourced services that will play on behalf of a player (power-leveling), and escort services where paid, skilled players play along with players to help boost their skills or acquire certain items. Once a cheater or game service attacker has been caught, the standard impulse is to ban the person from the game. There are other options and some negative consequences from banning and there are real questions as to banning’s effectiveness in deterring game abuse. There are quite a range of game service attacks and, fortunately, corresponding countermeasures. However, there are few standard solutions to these problems, as the game service security weaknesses often are closely tied to specific business, implementation, and operations choices.

20

Competition, Tournaments, and Ranking Systems (and Their Abuse)

istorically, computer game developers have focused more on single-player games than multi-player experiences. This is largely an artifact of the evolution of personal computing and network technology. For thousands of years, games have been predominantly multi-player experiences with the exception of solitaire card games and puzzles.

H

Although cooperation is sometimes an element of gaming, competition is deeply ingrained into its rules and language. There are very few games that don’t have some sort of notion of “winning,” even if the game has only one player. Wagering and rewards have long been tied to games—after all, the Bible’s Book of Job is centered on a proposition bet between God and the Devil. Players are encouraged to earn the most points, finish the game most quickly, and get the high score. With the emergence of online computer games, competition and tournaments are rapidly growing in popularity. As discussed in Chapter 18, high scores can invigorate the audience for a single-player game, but they can also inspire abuse. Multi-player game competitions are more interesting and varied than singleplayer high-score services. Lobbies, ranking systems, and tournaments are varied in form and targets of a wide range of attacks.

U NDERSTANDING T OURNAMENTS

AND

R ANKING S YSTEMS

In order to understand the attacks on game competition, it is worth reviewing how a variety of these systems work. Although most game players are familiar with sports competitions, the growth of online play has introduced several new types of ranking systems. There is surprisingly little good discussion about how these systems work from a practical perspective, but Christopher Allen and Shannon Appelcline have put together a number of excellent articles on the subject at Christopher Allen’s blog, Life with Alacrity1.

192

Chapter 20 Competition, Tournaments, and Ranking Systems (and Their Abuse)

193

There are two essential types of ranking systems: Closed Ranking or Tournaments—These ranking systems are built around a limited pool of entrants (restricted either by total population or a specific registration period). They use some process to rank the entrants or determine one or more victors. There are a number of types of tournament formats, including2: Single-Elimination—A tournament where players are removed from the tournament as they are defeated. Only the top player is ranked, not any of the other participants. Consolation—A tournament where players are moved to a “consolation” single-elimination tournament after they lose once. Once they lose a second time, they are eliminated. Double-Elimination—Very similar to the consolation tournament, but players enter more senior brackets, based on how far they proceed through the brackets in the single elimination tournament. If a team successfully won three rounds, but then lost its match, that team would enter at the third round of the consolation tournament, rather than at the first round. Up and Down/King of the Hill—Participants all play for a fixed period of time. The leader or victor at the end of the interval progresses “upwards” toward the top position and the losers move “down.” Swiss—Participants all play in a set number of rounds. Players play against others who have done comparably well, but the final result is based on a total score, with victories worth 2 points, ties worth 1 point, and losses worth 0 points. Round Robin—Participants play all other participants a fixed number of times (rarely more than two), with the participant with the most victories crowned the winner. There are numerous variations on these competitive schemes. A tournament can also combine different tournament schemes, such as an initial round robin phase, followed by a single elimination tournament for the top performing round robin players. For tournaments with gambling, there are also variants where players can buy back in to the tournament again or purchase additional chips to continue to play 3, and as well as take advantage of other options4. Open Ranking or Ladders—These ranking systems can accommodate an unlimited number of participants or a limited participant pool over an extended period of time to establish the participant’s relative status. Open ranking systems are used in applications outside of gaming, most notably for reputation and rating systems5. Well-known ranking systems include ELO and Glicko for Chess; Xbox Live’s TrueSkill; and eBay’s rating system.

194

Protecting Games: A Security Handbook for Game Developers and Publishers

The two types of systems can be used together and interact over time. Most professional sports teams are ranked from year to year, but also compete through some sort of tournament system for a final victory. In U.S. college basketball, there is an ongoing ranking system on a national basis that determines invitations to the NCAA or NIT tournaments (sort of)6. There are four major purposes for ranking systems: Ranking/Serializing—Placing the participants in some sort of order and, for ranking systems, tracking that order over time. Grouping/Grading/Thresholding—Grouping the participants into categories (one to five star systems, grades A to F, and so on). This is the dominant approach used for rating and thresholding systems. Matchmaking—Competitive systems need a way to match different participants and reward victors and penalize losers. Matchmaking systems determine who competes. They can be structured in different ways. In a single-elimination tournament, participants with higher ranking are matched with players with lower ranking to increase the likelihood that the highest ranked competitors will compete in the final match. Thus, the top ranked participant initially competes with the bottom ranked participant, the second ranked participant, with the second lowest ranked participant, and so on. Additionally, the highest ranked and second ranked participants are in different brackets so that if they win all of their matches, they will reach the finals and compete with each other. Conversely, ongoing ladder systems tend to match participants with comparable skills to try to ensure a fair competition (each competitor having a nearly equal chance of victory). Handicapping—These systems typically give increased rewards for players who defeat higher-ranked foes. Conversely, in systems like golf’s, a handicap is a balancing system to basically allow a lower-ranked player to compete with a higher-ranked player. The attacks on tournament and ranking systems, discussed later in this chapter, are highly dependent on the specific purpose of the system. Careful design can avoid many problems. For example, the online game A Tale in the Desert first used the eGenesis Ranking System7, which attempted to limit the ability of players to create free accounts to boost their ranking by minimizing the effect of competing with players with new accounts (basically, you could earn a maximum of eight points from a new player, but could earn substantially more from an experienced player), but later moved to a very different approach with its Tournament Ranking System8.

Chapter 20 Competition, Tournaments, and Ranking Systems (and Their Abuse)

195

This latter system works in a similar manner to the “master points” system used in Bridge where players really only compete with other players at the same rank and compete to earn additional points towards advancing towards the next rank. The only real differences are that a player cannot compete multiple times at a given rank and tournament with another player. Also, it is possible for a player to lose too many competitions, in which case she can either start again at the lowest rank or no longer compete within that specific tournament.

L OBBY A TTACKS Before players enter a game, they use a lobby service to set up matches—either with opponents of their choosing, or, for tournaments, based on algorithms and procedures provided by the game service. Hackers attack the matchmaking service itself or its underlying ranking or handicapping system to position themselves to gain an unfair advantage: A hacker could try to boost her chances of winning cash or prizes by entering a contest an excessive number of times or create multiple accounts that “compete” to boost the rank of a chosen account. Conversely, the cheater could appear to be incompetent and lose often to set up suckers for a sting in a game for money—just like a pool shark. TOURNAMENT

AND

LOBBY SPIKING

Although randomized match-ups are theoretically strong, it is an interesting question whether teammates, or opponents for that matter, could collude to enter the matchmaking lobby within a narrow time window and thus increase substantially their chance of being matched together. After all, if ranked games are being run continuously, there are going to be times when the game lobby is going to be relatively empty. Or, even with a relatively popular game, highly synchronized lobby entry can overwhelm the matchmaking system’s randomization process. The larger the team, the more effective this tactic will be. A weighting system that adds an anti-correlation component (to ensure that players haven’t played together before) and a measure that considers how many games someone has played (to address disposable identities) added to the tournament ranking system could help reduce the effect of team play. Another strategy may be to allow all players to play multiple games concurrently (this strategy works better with thoughtful and leisurely games, as opposed to fast, reflex-based games).

196

Protecting Games: A Security Handbook for Game Developers and Publishers

ENTRY SPREADING For continuous tournaments or ladder systems, players can “spread out” their entries to move more rapidly up or down a ranking system. A closed tournament matches players based on seeding or a random draw. However, it is possible, in an open ranking system or a tournament that allows players to join over a substantial period of time, to disperse a team of players uniformly across a large population. Depending on the ranking scheme, these anti-correlated players can build “good” reputations independently of each other and subsequently coordinate and play together to accelerate the ladder performance of a few selected members. RANK BOOSTING

AND

BUSTING

Once players have been able to be matched with whom they wish, they can then “boost” the rank of a designated player or group of players. This is possible if the tournament uses an open lobby, the game has a ladder ranking system, or they overwhelm the lobby. An NBA player, Gilbert Arenas of the Washington Wizards, was caught colluding with another player by taking turns winning game events to boost his rank in Halo 3 9. Players can also achieve the same objective by using bots rather than finding other colluding players for some online games. It is a good idea to test your tournament structure against various rankmanipulation strategies to see how many cooperating players it would require to be effective. Although players may attack tournaments just to get a high rank, tournaments with cash or prizes are the prime targets for boosting. The other goal of a cheating player may be to rank higher in a less competitive tournament—becoming the “best of the worst” in a junior or amateur tournament rather than having to fight and likely not win in a more seasoned competition. This is especially appealing for games where money is involved—a tournament variant of a pool shark. These attacks are all quite difficult to counter. They are all, effectively, varieties of collusion and take advantage of weak identity systems, particularly when games are online. Clever design of a ladder system or tournament may minimize the impact of several of these attacks. For tournaments, bringing players in for face-toface competition will often make it much more difficult for players to hide their identities. Platform identities and signatures may be effective in determining patterns of play that can help uncover these groups of players or accounts.

Chapter 20 Competition, Tournaments, and Ranking Systems (and Their Abuse)

S YNDICATES

AND

197

B OTS

Tournaments and ranking systems create a structure on a social group. There are two ways to undermine these structures: with an organized team of individuals (a syndicate) or virtual individuals (a set of bots). Svenska Spel’s lottery game, Limbo, was undermined by groups of players colluding to select different entries, a variant of the entry spreading attack where the players ensured that their lottery entries had different values to increase the group’s chance of winning10. The online game OutWar was targeted by a massive botnet of at least 30,000 compromised computers to help boost two players’ ranks11. Tournament cheat bots fall into two categories—winbots and lossbots—and are the direct counterpart to human syndicate members helping boost or bust a teammate’s rank. In 2005, Blizzard banned 4,000 players from Battle.Net for using lossbots and ladder abuse in Warcraft III12. Of course, bots can also be used to simply cheat against other players in a tournament or boost a player’s rank, as discussed in Chapter 15.

T OURNAMENT

AND

L ADDER G AME P LAY A TTACKS

There are certain attacks that can occur against a game because it is being played in a tournament or as part of a ladder-ranking system. These are not really attacks on the game itself but on the game’s context. Although Brain Age may be a fine singleplayer mental skill game with its mini-games based on basic mathematics and logic, it would fail utterly in an online, multi-player, competitive environment where players could use calculators and other player aids. COLLUSION Players can cooperate together when it is forbidden by game rules to gain a competitive advantage. This is a problem for multi-player games in general, but can be even more problematic when tournaments or rankings are involved. For example, collusion in a two-player game is meaningless unless there is a larger group ranking system that can be attacked. Usually, boosting and busting rankings can be easily carried out by groups of colluding players; the larger the colluding syndicate, the better.

198

Protecting Games: A Security Handbook for Game Developers and Publishers

GAME CONFIGURATION Games played with small groups of competing players are very common in online gaming. There are a couple of very practical reasons for this: It is easier to design a competitive game that works with a smaller number of players rather than a large number. Also, it is very difficult to bring together a large group of players and keep them playing at the same time, particularly online. First person shooters, racing games, sports games, and strategy games are usually played with modestly sized groups (rarely more than 16 players, often 8 or fewer players). For a game service provider, these sorts of games can be operated very inexpensively, especially when the players use a local computer to act as the game server or when the game operates as a pure peer-to-peer network. Player-operated servers and peer-to-peer architectures have the substantial advantage of pushing all of the computing and networking resources onto the game’s players while only leaving a small lobby, status, and persistence service at the game operator’s location. Sometimes, game operators let too much control devolve to the players. In Battlefield 2, players cleverly configured their local game servers to give them an unfair advantage in the game’s overall ranking scheme (the exploit was really a flaw in the game’s scoring system that ranked players much higher if they used “lowertech” weapons like knives rather than guns)13. All players need to be able to independently authenticate a game’s configuration and state, whether the game is configured as client-server or peer-to-peer architecture. The game developer or operator should also be able to extract an audit record of a game from any and all players. This may not prevent all ranking system manipulation, but could help identify gross abuse by players who post scores for game wins or losses that were not actually played. GHOSTING Increasingly, game developers are adding an “audience mode” to their games. This mode allows the game to be viewed from a number of perspectives and often supports replay and recording features. This is due largely to the rise of cybersports and machinima and has mostly been a boon to the industry. Additional game observers can create security problems, however. In the real National Football League, the New England Patriots were caught using cameras and electronics to read the communications between players and coaches of their gridiron foes14. Audience mode tools can be used by colluding players or players who hack into a game server to achieve the same objective. The best countermeasure is probably introducing a communications delay before sending information to the game’s audience. This will almost certainly not be effective if a player is hosting the game server.

Chapter 20 Competition, Tournaments, and Ranking Systems (and Their Abuse)

199

More sophisticated blackout systems are likely to be technically difficult to implement and tempting for hackers to circumvent. These attacks are basically exploits of the tournament or ranking system and need to be countered as such. Although technical countermeasures may sometimes be able to detect these hacks, they are difficult to isolate, by their nature. Ghosting weaknesses are best thwarted by changing the tournament or ranking scheme and rules, just like game exploits.

A BANDONMENT : T HE “G AME O VER ” G AME One part of the game code is of particular concern for both the game operator and the game developer—the “game over” game code. Networked games can end for a number of legitimate reasons, but also for illegitimate ones. Dropped connections and computer failures are too common to be simply ignored or arbitrarily punished. Game developers and providers also need to be concerned about players abandoning a game to avoid a loss and reduction in ranking (called stat guarding). This has been seen in the Ultimate Online Baseball MMO. Certain players (derisively called stat babies) in Netamin’s game abandon their games when it looks like they may lose and damage the statistics of their pitchers or hitters15. Malicious players can abuse a game’s “game over” logic, and even the game abandonment code to their advantage. Depending on how the “game over” logic is implemented, malicious players may be able to force the game to end when they have an advantage or to use their preferred scores as the authoritative source for the game. Players may even abuse the game abandonment system to make it look like the other player has abandoned the game—and trigger the game score system to punish the other player accordingly. The ideal approach is for the game to periodically establish a “certified game state” that can be used to replay or finish the game at a later date (ideally, this would be done continuously). Players can also attempt to report false scores and delay reporting of undesirable game results to manipulate a ladder or tournament system. A final problem occurs when players make side wagers on game results. This is not something that a game operator can handle directly, but it is an issue that they should be aware of, because these side wagers can substantially alter the behavior of the players. It may be more profitable for players to lose the game and distort the ranking system if the side bets are large enough (or there is little value in having a high rank in the ladder). Unfortunately, there are no magic bullets for these problems. Trustworthy game logs may help, but games need to be examined on an individual basis.

200

Protecting Games: A Security Handbook for Game Developers and Publishers

ZERO-SUM SCORING Abandonment is a particularly tricky problem for online games. The essence of any solution is to make it more advantageous for a player to complete a game, whether or not they win. A metric that simply rewards players for completing more games may help. One also needs to look at how a game is scored internally. Games that have asymmetric scoring systems (a term I’m making up as far as I know) are particularly vulnerable to this form of attack. An asymmetric scoring system is one whereby one player can score independently of the other players. Baseball is a good example. Runs are earned by a given team, as are individual statistics, without direct corresponding consequences for the other team or players. Many games can be configured so that the game’s scoring system is “zero-sum” or symmetric scoring. Each positive event for one player is balanced by a negative event for the other player(s). Thus, a game will have a net score at all times of zero. In many cases, this allows the game to end at any time and still be considered valid. One game that uses this type of scoring system is the Austrian tarot card game called Konigsrufen. The problem we encountered when playing the game was that we never had the exact right number of players for the game. The game requires four players, but we often had five or six, but never enough for two full tables. This was a group of mathematicians, so, of course, they had a mathematical solution to the problem: zero-sum scoring. If I scored 300 points in a hand, each other player lost 100—making the hand net out to zero, so that the odd-mathematician-out could play the next hand while keeping the game score working for the whole evening. This is a powerful and flexible concept. So, if there are W winning players and L losing players, and the total reward is R, then: R = W*r = L*(-p)

Thus, each winning player will receive: R/W = r reward points

and each loser will lose: -R/L = p penalty points

Overall standings are based on players’ individual scores. Although the sum of the players’ scores is zero, their individual scores can vary widely. This technique may not always be applicable but it can be an effective technique to minimize the consequences of game abandonment. Also, because the game is always at “net zero,” the game service may more easily support late player substitutions or replacement players joining a game session to improve the game play experience while not punishing (or excessively rewarding) late players.

Chapter 20 Competition, Tournaments, and Ranking Systems (and Their Abuse)

201

G AME O PERATOR P ROBLEMS Game operators don’t like to think of themselves as a source of game problems, but players certainly do. The most important asset a game provider has is her reputation. In order to avoid damaging public relations, game service providers should be prepared for accusations from disgruntled players. BIAS Because of the nature of the games that they are offering, game providers often have insider knowledge that would give a favored player a real advantage in a game. Also, if there are games played in competition with the game provider, there can be tax advantages to reducing apparent winnings by colluding to lose to a cooperating player. (This is a concern that regulators sometimes have with casinos. Casinos are taxed on their winnings, so sometimes a greedy casino will arrange to lose to a player and thereby reduce its taxes. The casino then arranges to share the ill-gotten winnings with the corrupt player.) The MMO EVE Online faced accusations that members of the game developer’s staff were giving their team (corporation) an unfair advantage in the game16. The best strategy to avoid this problem is to simply not allow developers, their friends, family, or anyone else personally or professionally associated with the game to play. I’ve had this debate with several developers who’ve objected strongly. If developers must play, it should be separately and they should clearly identify themselves. Also, they should be subject to quite rigorous logging. Even the appearance of impropriety can be quite expensive. The loss of only 100 subscribers due to damaged reputation for virtually any MMO would likely exceed almost any employee’s annual salary. INSIDER PLAYERS/SHILLS This is a problem associated with closed tournaments, skill games, gambling games, or other games for money. It is a more extreme version of the bias problem, whereby the game provider intentionally seeds the game with insider players and alters the game for the game provider’s benefit. PAYMENT ABUSE/TILL FRAUD/RAKE ABUSE If the game service has payments involved, there are opportunities for payment abuse. A game company that shaves a nickel here, a penny there, and a dime somewhere else can easily and stealthily earn substantial undeserved revenues (the general term for this in the computer security field is a “salami attack,” in which many individuals do not notice very small amounts of fraud but the aggregate amount stolen can be quite large).

202

Protecting Games: A Security Handbook for Game Developers and Publishers

Game providers should provide clear payment tables that are always available to players and full and detailed accounting records for the player’s review. It would be optimal to provide an independent audit on the player’s platform, but this is not always practical. An outside auditing firm in support of well-documented processes and procedures and other measures can help build a reservoir of trust. This type of attack could easily be implemented in virtual asset games by providing smaller amounts of virtual currency than promised to players, removing a small amount of virtual currency or items from a player’s existing virtual holdings, or altering virtual asset prices for non-observant players. This can happen with real items, not just virtual assets. The use of electronic point-of-sale software has made it possible for crooked business owners to take funds, without reporting income, by using programs called zappers17. Basically, zappers create fake transactions from a malicious company’s business partners for the purchase of items or they alter the price of items. The zapper manipulates the entire accounting system to allow a crooked business owner to extract cash without ever reporting it as income but still have clean books for auditors and tax collectors. ULTRA-VIOLENCE/ACTION HANDS In games where variable rewards or payments are involved, the game provider may be able to make the game more “interesting” and hence increase payments by players to the game operator. In this case, the game provider doesn’t really care who wins, just that there is more activity than would be occurring normally under the game’s rules. There have been accusations that some online poker sites have a bias towards dealing hands that will encourage a lot of player wagers, thereby earning the game operator more money from increased wagering. Reputation is critical for a game provider. Anything that can damage the game operator’s reputation can be very costly very quickly. It is important for game providers to avoid even the appearance of impropriety. Also, as the (online) game industry grows, it will be important for companies to cooperate and develop best practices and perhaps even certifications to protect the whole industry from flawed practices or individual bad apple companies that could turn into government regulation or result in lawsuits.

I DENTITY P ROBLEMS Identity becomes much more important once one moves to a rich online game service (see Chapter 29). The simplicity of developing a casual single-player game and hosting free standalone games becomes substantially more complicated when other

Chapter 20 Competition, Tournaments, and Ranking Systems (and Their Abuse)

203

players become involved. Undermining identity is a critical part of many of the attacks discussed so far. There are many ways to weaken identity and some of the problems can have particularly serious impact on tournaments and ranking systems: Invalid Licenses/IDs—Both paid and unpaid games often use a license key or platform ID as part of their identification system. For performance, storage, and business reasons, these keys are sometime not issued and validated individually, but generated by an algorithm. Malicious players can steal keys, duplicate them, or break or reverse-engineer the ID authentication algorithm (see Chapter 5). As discussed previously, there are ways to ensure the security of license keys and recover from compromises—but the techniques are game service specific. “Alt” IDs—Free online game services often permit, or do nothing to stop, the creation of multiple identities. Players can use these additional identities to increase their chances of winning or boost their rank with lossbots. Positive incentives can be used to encourage honest registration of identity, such as prizes or loyalty programs. Outsourcing—Players sometimes recruit or hire other players who are good at a game to play for them to boost their score. This is offered as a commercial service, just like gold farming, for several massively multi-player online games including World of Warcraft, but it has also been reported with players hiring other players to boost their rank in ladder systems for casual games. There is not much that can be done to prevent identity outsourcing (see the section in Chapter 22 on power-leveling). Game Save Sharing—Some games store the state of the game or other persistent information locally. This data is sometimes exchanged with other players to boost statistics or otherwise enhance play. This has occurred on the Xbox 360 console to boost achievements in the Xbox Live service. If the game or console needs to support storing these files, the files should be cryptographically tied to a specific platform or user account (see Chapter 14). Strong identity can mitigate many online game security problems, including those associated with tournament and ladder hacking. Interestingly, cash and prizes are great tools to encourage better reporting of identity information by players and can easily be tied to competition and ranking systems. At the same time, cash and prizes substantially increase the value and likelihood of attempted attacks. There are advantages and risks with either approach. Strengthening identity is generally quite useful and there are often solutions to reduce the effectiveness of attacks on games, as discussed in Part III.

204

Protecting Games: A Security Handbook for Game Developers and Publishers

C OUNTERMEASURES There are numerous ways to protect tournaments and ranking systems against attack. What follows is a list of tactics that may (or may not) be applicable to your specific environment: Buddy List or Guild High Scores—Rather than having a single, global highscore system, use buddy list high scores. In order to implement this tactic, the online service will need to keep track of all the pair-wise scores and reporting status in a localized buddy list or guild. Because scores are only published within a local community, spurious accounts and results will not cause meaningful problems. Buddy list scores can serve as a recruiting tool. Likewise, giving players the ability to track their relative status with their friends may help build the online community and virally expand as players recruit their friends. Buddy list scores can also be used for guild versus guild or team competition, tournaments, and so on. Paid Versus Unpaid High-Score Systems—If there is an economic or other model tied to the game, you publish only the high scores for those who are actually helping your business by paying. This can even be tiered based on how much money the person has spent. Levels of Competition/Bridge Style Rankings—The card game Bridge has a ranking structure based on multiple tiers. Thus, one moves from player to master to grand master, and so on. For an online game with weak identity, this structure can be used to radically drive up the cost and effort to spoof the highscore system (and is similar to the approach used in the tournament ranking system in A Tale in the Desert, discussed previously). For example, in order to move from player to master, the player must defeat 10 other players; in order to move from master to grand master, the master must defeat 10 other masters. (You can add more levels as desired; martial arts rankings have a “belt” system that supports quite a number of levels.) For a legitimate player, the minimum number of games to move from player to grand master would be 20. But for a spoofer who was creating phony losing accounts, the number of games would be 120 (10 fake players to move to master, 100 fake games to create 10 more masters, and 10 more fake games to get to grand master). As always, strategies can be combined and there could be a conventional leader board at the top level (the grand master). Additional twists can include: 1. Uncount scores if the opponent becomes inactive for 30 days. 2. For server-based games, you can track the duration of games to see if they are unusually short (for time-based games) or fewest turns (for turn-based games). You can then throw out games that are too short, once you have data on typical or expected game lengths.

Chapter 20 Competition, Tournaments, and Ranking Systems (and Their Abuse)

205

Cash and Prizes—As noted several times already, the possibility of winning something tangible is a powerful incentive to disclose identity. The prize doesn’t even have to be very large. The downside, also as noted previously, is that valuable rewards encourage hackers. Natural Achievements—For games that have achievements, rather than hiding achievements like Easter eggs around the game, have these achievements based on natural game activities and spread them out smoothly throughout the game to reflect thorough and masterful play. Some games have used “unnatural achievements,” such as playing an excessive number of times, that may wind up costing the game operator money if the player overuses the service. Impersonal Global High Scores—Global high scores can be listed, but not globally attributed to the player. Thus, only a player’s game friends would know their score (if used in conjunction with buddy lists). This may weaken the urge somewhat to cheat, because the player needs to work harder for notoriety. The downside is that this may reduce the value of the high-score service. Randomized Matchmaking—There are real benefits to randomizing players for ranked games. Player teams, such as clans or guilds, can add complexity to this, as individual performance could add to the group’s ranking. Game operators need to be careful about lobby-stuffing tactics. Face-to-Face Play—There is no reason that the only way to earn scores is online. It can be a powerful marketing tool, and a deterrent to some attacks, to invite local and regional high scorers for a face-to-face tournament where additional rewards can be earned through live, face-to-face competition. Server Scoring—Move the technical score accumulation process to the server to certify the scoring process for the game. This should cause a lot of trouble for a number of the exploits discussed so far, particularly game save sharing. Time-Based Rank—It may be possible to thwart some players who use lossbots or other methods to lower their ladder rank by including an additional attribute for how many minutes of play or total game sessions the player has participated in. Apparently, Microsoft and Bungie are incorporating this technique to help fight leader board cheating in Halo 3 18. Grouping Cheaters Together—Segregate rankings for cheaters and non-cheating players into separate systems. Neither group really needs to see the other. Blizzard incorporated a variant of this tactic into Diablo II on Battle.Net19.

206

Protecting Games: A Security Handbook for Game Developers and Publishers

R ETROFITTING G AMES

FOR

T OURNAMENTS

AND

S KILL G AMES

Many games are not really suitable for tournament or skill-based play because of their poor security. This is both an issue and opportunity because tournament and skill-based play extend the life and may increase revenue for game developers and publishers. Game fans and secondary game businesses have tried to build tournaments and skill-based games businesses around a number of games. Many of the games that people have tried to convert to a “for-money” business model are vulnerable to standard hacks, including proxies and state hacking. Whereas cheating is somewhat tolerated in a “for-free” or “for-fun” environment, when cash or prizes and payments are involved, cheating becomes a central concern for the business. The typical architecture for these online services would include a central game server with multiple game clients. Legitimate operations require that each player has a licensed version of the game. In order to improve security with these legacy games, the game can integrate a real “action log” for each participating player. For this approach to work, the game needs to be able to be accurately replayed from a log file consisting of the sequence of player actions, timestamps, and, optionally, one or more random seeds. The random seeds would be provided by the game server or the collaborative random techniques discussed in Chapter 13. At the end of the game, the players submit their action logs to the server. This can be done after every game, at a random time, or when there is a dispute between players or an unusual result. The server then uses the logs from all of the players to reconstruct the game and see if it matches the observed results and game play behavior in its own action, state, and visual logs. Discrepancies can be used to identify problems and take suitable action. This approach stops many, but not all, security problems for legacy games. One problem the “action logging” approach does not stop is the use of automation tools or player aids. These attacks will always be hard to detect because they don’t alter the game; they just improve the player’s performance.

S UMMARY Game service providers are moving to provide richer player experiences to complement their games. These richer game play systems, such as tournaments, ladders, and reputation systems, bind the players to the service and inspire the players to continue playing. Tournaments can be great marketing tools. NCsoft has run a number of tournaments for Guild Wars with substantial prizes 20.

Chapter 20 Competition, Tournaments, and Ranking Systems (and Their Abuse)

207

Hackers do not have to attack individual games to undermine these valueadded services. The hackers can attack the entire game service fabric. These attacks can be costly to the game operators. Microsoft and Bungie shut down the leader boards for Halo 2 21 and one can only speculate how many sales might have been lost compared to the cost for improving the security of the ranking service. Player reputations and rankings are sometimes sufficient reward themselves to inspire hackers to exploit these competition services. Fortunately, malicious players are more interested in the fame of breaking a game’s security (and publicizing the fact) than running up a high score. The threats to a game service change fundamentally when a game service provider begins to support real rewards and prizes—hackers and cheaters will stop sharing and publicizing their exploits. This results in a substantially greater burden on the game service provider’s built-in security and security team.

R ESOURCES 1. C. Allen, S. Appelcline (2006), “Collective Choice: Competitive Ranking Systems,” http://www.lifewithalacrity.com/2006/01/ranking_systems.html 2. GoldenToken (2008),”Types of Tournaments,” http://www.goldtoken.com/games/wiki?wiki=Types%20of%20Tournament;ref=Wiki%20Start%20Page 3. Full Tilt Poker (2008), “Rebuy Tournaments,” http://www.fulltiltpoker.com/rebuy-tournaments.php?ck=ftp213758551084424 4. Pokervariations.org (2008), “Types of Tournaments,” http://www.pokervariations.org/types-of-tournaments.php 5. C. Allen, S. Appelcline (2006), “Collective Choice: Rating Systems,” http://www.lifewithalacrity.com/2005/12/collective_choi.html 6. Wikipedia (2008), “National Invitation Tournament,” http://en.wikipedia.org/wiki/National_Invitation_Tournament 7. A. Tepper, J. Yelon (2002), “eGenesis Ranking System,” http://wiki.atitd.net/tale1/EGenesis_Ranking_System 8. ATITD (2004), “Tournament Ranking System,” http://wiki.atitd.net/tale1/Tournament_Ranking_System 9. L. Frederick (2007), “NBA Star Caught Cheating at Halo 3,” http://www.escapistmagazine.com/news/view/77998-NBA-Star-Caught-Cheating-at-Halo-3 10. J. Savage (2007), “Game Stopped After Cheat Allegations,” http://www.thelocal.se/6788/20070324/ 11. J. Leyden (2004), “Botnet Used to Boost Online Gaming Scores,” http://www.theregister.co.uk/2004/12/21/randex_botnet_fun_and_games/ 12. Blizzard (2005), “Accounts Closed for Ladder Abuse,” http://www.battle.net/news/0503.shtml 13. N. Maragos (2005), “Battlefield 2 Security Holes Exploited, Login Problems Reported,” http://www.gamasutra.com/php-bin/news_index.php?story=6033

208

Protecting Games: A Security Handbook for Game Developers and Publishers

14. J. Joyner (2007), “New England Patriots Cheating Scandal,” http://www.outsidethebeltway.com/archives/new_england_patriots_cheating_scandal/ 15. M. Lafferty (2006), “Stat Babies Cropping Up in Online Games,” http://www.gamezone.com/news/08_07_06_01_49PM.htm 16. J. Blancato (2007), “Jumpgate: EVE’s Devs and the Friends They Keep,” http://www.escapistmagazine.com/articles/view/editorials/op-ed/847-Jumpgate-EVE-s-Devs-and-theFriends-They-Keep 17. R. Furchgott (2008), “With Software, Till Tampering Is Hard to Find,” http://www.nytimes.com/2008/08/30/technology/30zapper.html?_r=1&oref=slogin 18. Michiel Meijs (2006), “For All You Halo Fans Out There #3,” http://www.xboxic.com/news/2045 19. A. Park (2002), “Battle.Net Cracks Down on Cheating...Again,” http://www.gamespot.com/pc/rpg/diablo2/news_2871872.html 20. A. Rose (2006), “Guild Wars Goings-On,” http://www.joystiq.com/2006/05/31/guild-wars-goings-on/ 21. Frankie (2005), “Bungie Weekly Update: October 14th, 2005,” http://www.bungie.net/News/content.aspx?type=topnews&cid=6864

21

Griefing and Spam

“Hell is other people.” 1

f being trapped in a room with three other people for an eternity is Hell, one has to ask what is the name for the place where you are trapped with millions of people who can do what they want and say what they want with impunity for even a day?

I

The Internet, of course. The two are easy to confuse. And, just like No Exit’s characters Garcin, Inès, and Estelle, we all have the opportunity to escape and turn off the computer, yet none of us do. There are a wide range of ways that we inflict grief on each other: Through game play. Although “emergent game play” is often seen as a good thing, there is a dark side where players take advantage of game systems to disrupt the experience for others. Interestingly, a number of these game play exploits grew out of a desire to make game play “safer.” Communications, the tools that enable community, are routinely turned into weapons wielded to harass, abuse, and annoy others. Players also turn the very management tools for reporting griefers into griefing tools themselves. They can even take advantage of the simplest game services, like high scores, to disrupt the game and attack the game developer. User-created content is seen by many game developers as something of a “Holy Grail.” Such content enables developers to provide a sandbox in which players can create and play. Unfortunately, players sometime use these tools to abuse and harass others and have gone so far as to implement denial of service attacks against the game itself.

209

210

Protecting Games: A Security Handbook for Game Developers and Publishers

There are consequences for these actions. Some in-game harassment rises to the level of legal harassment; off-color remarks and content can be considered obscenity; and certain activities, such as “age play” (where adults use avatars of children in sexual situations), can create serious legal and business problems for a game service provider.

C OMMUNICATIONS G RIEFING

AND

S PAM

Insults and harassment are virtually routine for many online games. The anonymity afforded to online game players has given rise to widespread and increasingly aggressive harassment. The hardcore gamers who are otherwise prized by game companies are often the worst offenders and taunt the newest players (derisively called “n00bs”). This, of course, is the riskiest time for a game operator—new players are liable to abandon a game that they find hostile. There is often a perception by players of a “right to anonymity.” There is no legal basis for this and, in fact, the Privacy Act in the US did not come into being until 1974 and mainly addresses an individual’s privacy in relation to the government. Sexual and racial harassment also, regrettably, occur too often. Additionally, the rise of gold farming in MMOs has led to a corresponding increase of in-game spam marketing that touts these services (see Chapter 22). As games become more and more mainstream, it will not be surprising to see the same kind of spam we all suffer from in our email. The Facebook social network is increasingly being targeted for spam, virus and worm delivery, and phishing attacks2. A recent survey showed that spam was effective—nearly 30 percent of individuals surveyed had purchased a product based on a spam message3. Response rates are surprisingly high, considering that the bulk of spam is blocked by filters. There are 10 sales per million spam messages sent; a good return on investment since botnet spam only costs $5 to $10 per million messages. Even worse for game operators, some of this spam can be used for phishing for account information or otherwise attacking the game service directly. IN-GAME, COMMUNITY,

AND

CUSTOMER SUPPORT

To fight these problems, as well as to address other issues, game companies provide customer support and community and forum features. Apparently as many as 25 percent of customer support calls are due to griefers4. This direct avenue for filing complaints is also a direct cost to the game company. In 2002, Alan Crosby of Sony estimated that his 60-person customer service staff each spent one hour out of an eight-hour shift handling griefing for the EverQuest MMO5.

Chapter 21 Griefing and Spam

211

The most common “griefer counter-measure” is to put in place a strong set of community services. Depending on the game, these community services provide clan features (tools to form and support player groups or teams), friends lists, reputation systems, and other services both to tie players more closely to the game and to create an environment that reduces anonymity for misbehaving players. One of the best features of a strong community service is that it can provide substantial security benefits at modest marginal cost. After all, the game developer is putting the community system into place for primarily business growth and marketing purposes. There are two main limitations of community systems from a security perspective. First, malicious players can often create new accounts (especially for game services that are free), thus removing the effective social stigma of griefing. Several games attempt to fight free-account griefers and spammers by requiring players to have reached a certain level (implying a fair number of hours of game play) or pay to be able to broadcast messages in the game. Second, malicious players can use the anti-griefing system to cause further grief by wrongly accusing other players of griefing. This is an excellent and unfortunate example of griefers using the game system against itself and other players. Player accountability is the key to controlling griefing. Some online game services, such as Battle.Net, X-Box Live, and Valve’s Steam have the capability to tie a product license key or other unique tag to a player and can use that identity to punish or ban abusive players. The other major form of customer support is found in persistent world games. In-game game masters provide live monitoring of the game play environment. This gives the game provider the ability to respond in near real time to griefing incidents. This solution is quite powerful, but it does come at a cost. Consider the Sony EverQuest example. Crosby estimated that one eighth of each of his 60 employees’ time was spent handling griefing. So, basically, he had the equivalent of 7.5 employees devoted to griefing full time. If we assume a modest salary of $40,000 per year (this is really cheap, as it wouldn’t include additional fees for shift work, health and other benefits, or management overhead), Sony was spending approximately $300,000 per year, at least, and probably closer to $500,000 on the griefing problem (2002 was in EverQuest’s heyday, so the game probably had approximately 425,000 subscribers at that time6). Although this may not be a huge portion of the game’s revenues, it comes directly from profits and, even worse, there are likely additional costs that are hard to measure directly in terms of lost subscribers or non-renewals by existing subscribers. The cost of managing griefing can grow rapidly for a game service provider and can lead to lost subscribers, redirecting staff from other assignments, reducing player satisfaction, or increasing the total staff costs for the game by simply adding

212

Protecting Games: A Security Handbook for Game Developers and Publishers

staff to handle the complaints. For a small game, the cost of managing griefers can be the difference between success and failure. For a large game, these costs are a continual drag on the bottom line. Given these numbers, a game company can make a rational decision as to whether a new security solution is needed. If griefing is at all a problem in a game, it is probably costing hundreds of thousands of dollars, minimum. The question is: are there solutions and what do they cost? ANSWERS

TO THE

GRIEFING PROBLEM

A security solution is not likely to be able to stop griefers, but should detect, and hopefully deter, them. A common, but usually unsuccessful, approach to stop griefing is to use “dirty word” lists. “Dirty word” systems basically operate an ever growing list of “banned” words and phrases that will cause a message to be blocked or the offending words or phrases removed. A very different approach is to (mostly) eliminate open communications as Disney has done with Toontown Online. Disney’s children’s MMO has a communications architecture that eliminates “chat” except among trusted friends7, and this approach has been followed by other children’s games. These games use totally structured communications for most players with all text and even sentence structures provided by the game company. If friends have shared a code outside of the game environment, they can communicate through a monitored chat service (see Chapter 30). Monitoring communications can be expensive. Another children’s game, Club Penguin, has 100 real-time employees monitoring player communications and adds 500 to 1,000 words per day to its “dirty word” filters for its 12 million total users and 700,000 subscribers8. For most games, a general-purpose communication capability—either via text chat or voice or increasingly video—is integral to the game experience. Real “dirty word” lists are very vulnerable to “misspelling” attacks that will thwart the security system while effectively conveying the harassing message. Live license keys are fairly effective in using platform identity to deter griefing (by the threat of banning), but these keys do not have a strong binding mechanism to an individual message or person. Similarly, credit card controlled accounts for massively multi-player games can strongly identify an individual player during a session, but they also cannot be bound to a potentially offending message. One tool that binds the actual communications to an individual is a digital signature. Digital signatures can support both client-server and peer-to-peer communications. This is especially important as games grow larger and the cost of simply relaying messages grows rapidly for voice and video communications to the point where a central service cannot log and monitor all communications.

Chapter 21 Griefing and Spam

213

Although there are numerous references that can explain how digital signatures work, the important feature they support is non-repudiation. Non-repudiation is defined as the property that only one individual could have signed a message. This works by taking advantage of the unique characteristic of public key cryptography, namely, that knowing the public key (P) “half” of a public-private key pair will not allow the reconstruction of the private (secret) key (S). This feature allows an individual to broadcast their public key to everyone and they will be able to decrypt my messages, but only the individual who knows the private key can encrypt them. The player can then use her private key to “sign” a message by encrypting a hash of the message (or the message itself). Then, anyone can use the public key to validate the message’s signature. The signed message is formatted as follows: S(message) or message,S(hash(message)); // where only one person knows how to compute S(x)

The verification process works as follows: P(S(message)) = message or P(S(hash(message)) = hash(message); // where everyone knows how to compute P(x) and hash(x) /* if the hash of the message received does not match the hash included in the signature, then the message is not verified */

Now, if you build the communication system (voice, video, or text) and add a digital signature service, players will not be able to deny that they created the messages that they have sent nor will other players be able to misrepresent messages from the actual sending player. At least, this is so as long as there is reasonably good identity information for the players (see Chapter 29). If a player can store all of the messages that she receives and forward them to the game operator when she wants to file a complaint, the operator will have an undeniable record of the conversation that cannot be manipulated. This has several benefits. First, the potential griefers will be deterred, knowing that their actions are neither non-deniable nor spoof-able. This is probably the most important characteristic of the system. Deterring griefing (like crime) has a much better return on investment than hunting down and catching the troublemakers. This technique actually can be extended to regular in-game actions to deter spawn camping and other griefing problems by utilizing logs stored by players for evidence of abuse.

214

Protecting Games: A Security Handbook for Game Developers and Publishers

Second, the game operator can reduce the live team and customer support staffing for grief-management. Because there are reliable logs of alleged griefing, real-time response by the customer support team is less critical. Players can post messages for reliable adjudication and both players’ versions of a conversation can be used as reliable evidence—which leads to the third benefit of this approach— fewer customer disputes and complaints. Digital signatures do nothing to stop spam. Unfortunately, spamming players usually have found a way to acquire an account that can broadcast messages and they are willing to risk being banned from the game after sending even a single message. The simplest solution is to remove broadcast communications services from the game, but these services can be very useful for many reasons such as helping players form ad hoc groups to ask for help. Another approach is to phase the distribution of broadcast messages. Most of the time, this type of spam is sent via text, not voice or video. Broadcast voice and video are just too disruptive, so players tend to only use them with much smaller groups and can simply “mute” or blank out anyone who annoys them. Phased distribution works by dividing the active players into a (binary) tree structure at random. When a player sends a broadcast message, it is first sent to the players in the same low-level branch, and then sent to the players in the same higher-level branch, until eventually, it is sent to everyone (see Figure 21.1).

FIGURE 21.1 Anti-spam phased message propagation system

Chapter 21 Griefing and Spam

215

The pacing of this distribution system should be set up to give players a chance to mark the message as spam before it is sent to the next tier in the system. This technique will disturb the fewest players from any given spammer. As with many other challenges for gaming, weak identity aggravates griefing and spamming security problems. Strengthening identity is always helpful. For games that want or need to support fairly anonymous players, the key is to minimize the impact of spam and grief-related activities either through structured communications or other measures that reduce impact on legitimate players and effort for customer support personnel.

HIGH SCORE OR PLAYER NAME GRIEFING Players often choose inappropriate or obscene names for their online personae or characters. Often, this is simply acting juvenile, but sometimes these names are chosen with malicious intent. In the previously cited advergame security survey 9, 10 , some players used the games’ high-score lists to criticize the sponsoring company. Such incidents can be particularly troubling when they occur in a marketing campaign with high visibility. Player reputation systems and alert processes to help flag inappropriate user names are fairly effective. However, it may be advisable to take the further step of manually verifying new high scores before they are available publicly. In order to minimize player impact, the game operator can structure the game to show the player her proposed username, but not reveal the name publicly until it has been verified.

G AME P LAY G RIEFING Just as players use weaknesses in a game’s rules implementation to gain a competitive advantage, a number of players use these exploits simply to abuse other players. One of the most common such tactics is “spawn killing,” whereby players kill another’s character just as the character enters the game before the player can take any action or protect herself11. Often, the countermeasure is to allow players to be briefly invulnerable as they enter the game, invisible, or vary where they appear. These tactics have to be used with caution, as they can, in turn, be used to grief other players. Another game play griefing tactic is when players sometimes kill the characters belonging to their allies, the gaming equivalent of “friendly fire,” which is called “team killing”12. Typically, there is very little that can be done about this problem without seriously distorting a game’s design.

216

Protecting Games: A Security Handbook for Game Developers and Publishers

After murder, theft follows naturally in the hierarchy of sins. “Kill stealing” is the practice of taking items or experience that another player should rightly have earned13. Depending on the game’s design, players can sometimes join a battle very late but still share equally in its rewards. The extreme version of this tactic is “ninja looting,” whereby a player seizes unearned items or items that her group had agreed to share in a different fashion, and finally, there is “scavenging,” whereby a player accumulates items or resources left behind by other players14. Some games have addressed these issues by making the entire combat process more structured. Once players have joined a battle, no one else can participate in the fight or earn a share of its rewards. Often, the problems come from a mix of formal and informal game play systems, as is often found in PvE (player versus environment) MMOs. These games often have game rules in place to prevent conflict between players (called PvP); however, the developers want the game to be “real,” and this is where the trouble occurs with inconsistencies in the various game mechanisms.

DON’T DROP (LOOT) Many online games have monsters that “drop” items when defeated. Players then “pick up” the items either individually or allocate them based upon a predetermined arrangement. The “ninja looting” problem described previously arises from this design. A simple approach to fighting this sort of abuse is that the players who participated in the combat or other action that resulted in the loot drop handle the allocation of items abstractly. Nothing is “dropped” physically to be picked up by the fastest or most devious player. Instead, items appear in a transactional window with each item to be allocated among the participants in the combat. Allocations are proposed by the players; however, nothing is released to anyone until all of the participants “vote” on the result. The default system would be a unanimous vote with nothing allocated until everyone agrees. Players can still cause grief by refusing their vote, but they don’t get any benefits either. The game can retain the transaction for a week or other interval and then the items disappear. For an organized party of players or guild, loot can build up and be allocated by a number of different systems. This is an opportunity for a game developer to provide flexible player interactions and an effective “contract enforcement” tool.

Chapter 21 Griefing and Spam

217

If the game is very formal, the rules will tend to prevent problems, and if the game is very “real,” abuse has consequences. This latter approach is seen in the science fiction MMO, EVE Online. EVE Online is a largely player versus player game, although certain parts of the universe are more secure against inter-player aggression. When players can attack players, these forms of griefing tend to take care of themselves. Players will simply get revenge on the other players for theft. Interestingly, EVE Online has taken a different approach to theft griefing in the parts of the game where players are not supposed to fight each other (high security space) with a space-based police force called CONCORD. The CONCORD system will essentially destroy anyone breaking the game’s anti-griefing rules in “high security space.” CONCORD is not immediate, and so some players can carry out their crimes and not get destroyed. Also, players have sometimes used throw-away ships to carry out suicide attacks and used other ships to steal loot. This technique, called “suicide ganking,” is being addressed through changes to the game rules15. Basically, game developers need to be quite careful and test their designs to identify both potential cheating and griefing exploits.

U SER -C REATED C ONTENT The ideal game is one where developers can just sit back and let the players create the game using some developer-delivered building blocks. Social networks do this by providing a communications framework with numerous features to encourage user action and interaction. Dating sites are the most obvious example. Players add information to their own profiles, rate, and communicate with other members, take tests, fill out surveys, send virtual gifts, and so on. For game services, some games go beyond simply providing high scores, multi-player lobbies, and the standard apparatus of social networks to allowing players to create, and in some cases, buy and sell, virtual items. Second Life and IMVU are probably two of the best known online services that use this model. Metaplace goes a step further by allowing users to create their own games. Some MMOs do support “crafting,” but this is not really user created content, but simply a portion of the game’s economy. Once a game allows users to create items or change the game’s rules, there are massive opportunities for abuse. “Time to Penis” is a tongue-in-cheek metric for the time from when some level of user creativity is permitted until someone creates a penis. Electronic Arts (EA) released a Creature Creator for its much anticipated, family-friendly title Spore. The immediate, inevitable response was widespread creation of obscene creatures, called Spore porn or Sporn16. EA is managing user content by allowing players to report inappropriate material as well as by allowing users to restrict the material that they receive from other players to creatures from no one, only their friends, or the general public.

218

Protecting Games: A Security Handbook for Game Developers and Publishers

This in-game graffiti is only one concern. Players can simply use their virtual presence to disrupt the experience of others as IBM found when Italian union workers moved to protest a reduction in their “productive results benefit.” Instead of a traditional strike, they protested in IBM’s online space in Second Life with 2,000 sympathetic avatars resulting in substantial, global media coverage (and, apparently, victory for the workers)17. Also in Second Life, a CNET interview with Anshe Chung was disrupted for 15 minutes by “animated flying penises”18. The griefing incident was followed by a copyright brouhaha when Anshe Chung’s company sent DMCA takedown notices to YouTube and media sites for posting copies of the video of the griefer disruption of the interview19. Second Life faces unique challenges because of the pervasive ability of players (called “residents” by Second Life’s creator Linden Lab) to modify themselves and their environment. Second Life has been moving to add more controls to its environment in the wake of these attacks. Because Second Life is structured around the notion of controlled virtual real estate, security controls really need to be matched to the game’s ownership model. Public spaces in the game have had a number of problems over the years with denial of service attacks that used the ability to create and animate items to overwhelm the virtual world’s servers. Neither IMVU nor Metaplace are likely to have the same sort of concerns in that neither have the same notion of a shared, public space that is also highly programmable. However, it does seem that IMVU has had some problems with players griefing the flagging system for inappropriate virtual items20. Lying somewhere between spam and user-created content was a stunt pulled by a gold farming company in World of Warcraft (WOW). In WOW, when a player’s character dies, it stays in place where the death occurs until the player starts over (respawns). The gold farming firm arranged to have a number of gnome characters die in a large pattern on the ground to spell out the company’s website address21. Rating and reporting systems are probably the best tools for managing abuse of user-created content systems in online games—especially when used in conjunction with an effective identity system (see Chapter 29). The power and potential for creativity of a service like Second Life makes it particularly exciting for those who are enamored with virtual worlds. However, balancing player creativity with griefer crudity and abuse is a huge challenge.

L IABILITY

AND

B USINESS R ISK

with J. Price Certain forms of griefing can create real legal and business risks for a game operator. Player-to-player communications and user-created content can be considered

Chapter 21 Griefing and Spam

219

obscene or harassment and trigger legal actions that affect both the individuals involved and the online service. Players can create virtual items that infringe on trademarks or alter a game to damage its reputation. OBSCENITY National, state, and local laws and ordinances classify most sexually oriented material as either obscene or indecent. It’s a serious issue. Criminal laws apply and there is a possibility of going to jail. But figuring out what is obscene and what is indecent is often complicated. The difficulty of defining obscenity was memorably summarized by U.S. Supreme Court Justice Stewart Potter in a concurring opinion when he said “I know it when I see it.” There are no objective standards. Even worse, because of the number of jurisdictions involved, a game operator may be in jeopardy without knowing it. The game operator can be sued where the game’s audience is located, not just where the company or servers are housed. In the US, the answer depends upon how the content is being viewed. Different obscenity standards apply to broadcast television, subscription television (cable/satellite), and the Internet. Offline, anyone sending sexually oriented material might avoid liability by controlling the point of delivery of their material to avoid areas with strict obscenity laws. Almost by definition, online services are accessible in the most conservative as well as the most liberal communities. Potentially, the most conservative contemporary community standard applies to any online service on the Internet when considering obscenity and indecency standards. In order to be completely safe and avoid prosecution of violating obscenity laws, the contemporary community standard of the Internet is (essentially) the most conservative community where the service is available. Even if the game operator’s provided material raises no concerns, user communications and user-created content can be an issue. Most troubling are the portions of the criminal code that apply liability to the game operator for any “knowing” use of the “interactive computer service” to transport and transfer obscene material. If a game operator receives complaints about inappropriate content, the operator must take prompt action. The game operator faces the risk of being charged if there is evidence that the operator received complaints regarding criminal content, such as obscenity, and ignored it. The U.S. Supreme Court has held that a prosecutor need not show that the defendant knew that the material was obscene, but “that he knew the character and nature of the materials.” The best practice is to maintain control of the online environment and users: Have online user policies that give you wide discretion to examine what is happening within your game and that enable you to work with law enforcement at your discretion. Take down content for whatever reason you feel is appropriate.

220

Protecting Games: A Security Handbook for Game Developers and Publishers

Don’t put your head in the sand. If you hear of something fishy, go after it and take down any content that can’t be viewed on prime-time television. If adult or other potentially risky (or risqué) content is important to your service, you’ll need legal advice tailored to your specific situation. HARASSMENT If you offer a service online that permits user communication, odds are likely that you will have a harassment case arise at some point. Law enforcement agencies have estimated that electronic communications are a factor in from 20 percent to 40 percent of all stalking cases22. Forty-five states now have laws that explicitly include electronic forms of communication in stalking and harassment laws. State laws that do not include specific references to electronic communication may still apply to those who threaten or harass others online, but specific language can make the laws easier to enforce. A number of federal laws also are relevant. Authorities will work actively to pursue harassment cases. In a widely reported incident, a woman was accused of bullying a neighborhood teenager via MySpace, which may have contributed to the 13-year-old girl’s suicide 23. Federal prosecutors charged the woman with one count of conspiracy and three violations of the antihacking Computer Fraud and Abuse Act. They accused her of violating MySpace’s terms of service by providing false information to open a fake MySpace account with her daughter and another teen in September 2006. In doing so, authorities say, she obtained unauthorized access to MySpace’s servers. TRADEMARK

AND

COPYRIGHT INFRINGEMENT

Trademarks only stay in force when the trademark owners actively protect them. Copyright protects the authors of original creative works against unauthorized use. As such, trademarks and copyright-protected material that find their way into games via player actions can create real issues for game operators. Trademark infringement is a violation of the exclusive rights attached to a trademark. It occurs when one party, the “infringer,” uses a trademark that is identical or confusingly similar to a trademark owned by another party, in relation to products or services that are identical or similar to the products or services that the protected trademark covers. Trademark infringement is not covered under the Digital Millennium Copyright Act (DMCA) and is not subject to DMCA takedown notices. DMCA was used to inappropriately remove 3D models of cars and airplanes from the Turbo Squid 3D art-sharing site. This was allowed until a lawsuit was filed (and won), based on the inappropriate removal of a B-24 model, which was supported by the Electronic Frontier Foundation24.

Chapter 21 Griefing and Spam

221

Alteration of game content is another matter. Tecmo fought and won an out-of-court settlement against a website that provided a patch to its games Dead or Alive 3 and Dead or Alive Xtreme Beach Volleyball that removed the clothing from the games’ scantily clad models. The company charged the website, Ninjahacker, with unauthorized modification of game assets and circumventing the game’s copy protection system. Because the case was settled, the legal status of player modification of the material from a purchased game is still unclear25. Turbo Squid’s final comment on the matter probably serves as a good summary of the challenges that griefing and user-created content present for game operators: Turbo Squid solely provides infrastructure for vendors around the globe to post their models and creations for sale. By accepting our End User License Agreement when vendors sign up, they warrant that they have all rights to the models and other digital assets they sell. Turbo Squid is a Digital Millennium Copyright Act (DMCA)-compliant operation, and when we receive valid takedown notices from (copyright) or (trademark) owners we act accordingly, and remove any infringing models brought to our attention. That said, because of how the DMCA Safe Harbor provision works, and because of the realities of any large open marketplace, we do not pro-actively police (trademark) infringement to any degree that Turbo Squid might guarantee that any particular model is not infringing. We can only work in a responsive mode. The burden to not infringe falls to Turbo Squid’s vendors, the individuals who create these assets and place them for sale on our site. No matter what game operators do, it is likely that they will need to deal with harassment, abuse, obscenity, and exploits. They just need to be prepared. Although “Hell is other people,” there wouldn’t be much in the way of business or games without them, either.

R EFERENCES 1. J.P. Sartre (1944), “No Exit” 2. P. Kafka (2008), “Facebook Spam Getting Worse?,” http://www.alleyinsider.com/2008/8/facebook-spam-getting-worse3. J. Milne (2008), “Sex and Software Diet Fuels Spam Growth,” http://www.cbronline.com/article_news.asp?guid=781A882F-926F-47F0-B96F-962F5EFAF5E4 4. D. Becker (2004),“Inflicting Pain on Griefers,” http://news.com.com/Inflicting+pain+on+griefers/2100-1043_3-5488403.html

222

Protecting Games: A Security Handbook for Game Developers and Publishers

5. A. Pham (2002), “Online Bullies Give Grief to Gamers,” http://articles.latimes.com/2002/sep/02/business/fi-grief2 6. B. Woodcock (2008), “MMOG Active Subscriptions 70,000 to 700,000,” http://www.mmogchart.com/Chart2.html 7. M. Goslin (2004), “Postmortem: Disney Online’s Toontown,” http://www.gamasutra.com/features/20040128/goslin_01.shtml 8. P. Elliott (2008), “MMO Week: Club Penguin,” http://www.gamesindustry.biz/articles/mmo-week-club-penguin 9. Deloitte Touche Tohmatsu (2008), “Advergames op Grote Schaal Gehackt,” http://www.deloitte.com/dtt/press_release/0,1014,sid%253D13354%2526cid%253D202819,00.html 10. S. Davis (2008), “Serious Advergame Hacking Problems: Deloitte Touche Tohmatsu Netherlands Survey Findings,” http://www.playnoevil.com/serendipity/index.php?/archives/2107-Serious-AdvergameHacking-Problems-Deloitte-Touche-Tohmatsu-Netherlands-Survey-Findings.html 11. Wikipedia (2008), “Camping (Computer Games),” http://en.wikipedia.org/wiki/Spawn_camp 12. Wikipedia (2008), “Team Killing,” http://en.wikipedia.org/wiki/Team_killing 13. Wikipedia (2008), “Kill Stealing,” http://en.wikipedia.org/wiki/Kill_stealing 14. Wikipedia (2008), “Looting (Gaming),” http://en.wikipedia.org/wiki/Looting_(gaming) 15. J. Egan (2008), “Era of Suicide Ganking in EVE Online Coming to a Close,” http://www.massively.com/2008/08/06/era-of-suicide-ganking-in-eve-online-coming-to-a-close/ 16. M. Simon (2008), “Video Game’s User Content Spawns Naughty Web ‘Sporn’,” http://www.cnn.com/2008/TECH/07/30/spore.sporn/index.html 17. UNI (2007), “Breakthrough at IBM Italy,” http://www.uniglobalunion.org/uniibitsn.nsf/2e8743df5acf1602c125701f00464774/867567557e8242f2c12 57387005342d1?OpenDocument 18. D. Terdiman (2006), “Newsmaker: Virtual Magnate Shares Secrets of Success,” http://news.cnet.com/Virtual-magnate-shares-secrets-of-success/2008-1043_3-6144967.html 19. A. Reuters (2007), “Anshe Chung Studios Cracks Down on Griefing Photos,” http://secondlife.reuters.com/stories/2007/01/05/anshe-chung-studios-cracks-down-on-griefing-photos/ 20. Virtual World News (2008), “IMVU to Exit Beta This Summer” (comments), http://www.virtualworldsnews.com/2008/03/imvu-to-exit-be.html 21. A. Sliwinski (2007), “Gnome Corpse Advertisement in WoW by Gold Farmers,” http://www.joystiq.com/2007/07/05/gnome-corpse-advertisement-in-wow-by-gold-farmers/ 22. National Conference of State Legislatures (2008), “State Computer Harassment or ‘Cyberstalking’ Laws,” http://www.ncsl.org/programs/lis/cip/stalk99.htm 23. Associated Press (2008), “Report: Grand Jury Probes MySpace Suicide,” http://abcnews.go.com/TheLaw/wireStory?id=4107005 24. J. MacNeill (2008), “First They Came for the Fords, and I Did Nothing,” http://www.johnmacneill.com/WWII_Bomber.html 25. D. Jenkins (2005), “Tecmo Settles Nude Patch Lawsuit,” http://www.gamasutra.com/php-bin/news_index.php?story=5591

22

Game Commerce: Virtual Items, Real Money Transactions, Gold Farming, Escorting, and Power-Leveling

oney makes the (real and virtual) world go around. In some sense, money itself is the oldest, most widely used virtual item. Because money is so universally understood, virtual currencies are widely used as incentives in online games. Whatever one’s views are about “consumer culture,” we all seem to have a Pavlovian response to accumulating more things.

M

Game developers know this and draw on it to reward players. However, once you create a system where more is better, people respond creatively. Where there is a gap between those with more time than money and those with more money than time, someone will come along to close that gap. Welcome to game commerce. It is worth noting that game commerce is not applicable to all games—after all, there are games of pure mental or physical accomplishment like chess or baseball. Although people do cheat in both, there is no way that most of us will ever be a Chess Grandmaster or in the Baseball Hall of Fame. Anyone can be rich, however, especially in a game. Game commerce encompasses legitimate transactions where players buy, sell, trade, and exchange items, skills, or characters, as well as unauthorized transactions. The most visible, and notorious, form of game commerce is gold farming, where players purchase currency or items for real cash and don’t earn them by playing the game. The other major categories of unauthorized game commerce include powerleveling, which involves hiring other people to play on one’s behalf, and escorting, in which players hire other people to play along with them as partners. The problem for game developers is that, from a strict game play perspective, these activities are completely legal. In fact, many games that loathe game commerce are built expressly to support the very activities that make it possible. Game developers want players to be able to give items to each other and they strive to make it easy for players to group together with others and play the game socially.

223

224

Protecting Games: A Security Handbook for Game Developers and Publishers

THE DARK SIDE: FOUR MORE CATEGORIES OF GAME PLAYERS There are many reasons people play games. Dr. Richard Bartle proposed four basic categories of game players (as modified to suit my purposes)1: Achievers—Players who seek to maximize their score or items or status in the game. Explorers—Players who want to experience and understand the game world and its design. Socializers—Players who use the game as a mechanism to form and expand their social circle. Competitors—Players who want to compete with and excel over other players. Dr. Bartle seems to take a more negative view of this category than I do in that he includes abuse of other players as an implicit part of this category. To his four categories, I would add a set of mirror categories. The dark side of gaming: Earners—Players who seek to earn the most wealth in the game for real-world reasons. These are the gold farmers and power-levelers. Exploiters—Players who carefully study, explore, and analyze the game world and its mechanics to identify weaknesses that give them a substantial advantage, usually due to flaws in the game design and implementation. Harassers—Players who use the social mechanisms of the game to make the experience as miserable for others as possible. Dominators—Players who use the game’s mechanics to make other players miserable. These players are not really interested in doing better than other players, but in making other players know that they have been beaten. Figure 22.1 illustrates these player types. Exploiters and Earners are often closely tied to game commerce. Exploiters help optimize the earning potential of the game. Harassers and Dominators cover two of the main categories of griefing.

Chapter 22 Game Commerce

225

FIGURE 22.1 Game player categories As a game-design note, the existence of the four Bartle categories of players (see Figure 22.1) is probably one of the reasons that game commerce exists. Game developers are often Achievers and Explorers. They want players to work through the game and experience all of the developers’ carefully crafted content. The problem is that many players are not similarly motivated. Socializers want to be able to play with whom they want when they want. Some Achievers are more interested in status than achievement and they may not have as much time to play as the developers want them to devote to the game. Competitors are interested in competition, not resource gathering or exploration. Explorers may want to be able to go everywhere and do everything without “achieving” everything necessary to unlock all of the game’s doors. Game commerce is the shortcut for all of these players to achieve their goals in spite of the game designers’ wishes.

When game commerce is not explicitly permitted by game operators, it creates problems for the game operators because players will engage in game commerce activities, whether officially allowed by the game operator or not. In 2005, Nick Yee surveyed 1923 EverQuest players and found that 22 percent admitted to buying gold2. These gold buyers purchased an average of $135 per year in gold: fairly close to what they were paying in subscription fees to the game. Considering the fact that players are likely to under-represent the rate at which they do something that is frowned on, like gold buying, and under-report the amount that they spend on such items, it is very clear that gold buying is very widespread. Players pay for convenience.

226

Protecting Games: A Security Handbook for Game Developers and Publishers

Game commerce causes problems because it creates a mechanism where players can bypass parts of the game or the “effort” that the game’s developers, and a number of its players, feel that everyone should achieve (see the sidebar called “The Dark Side – Four More Categories of Game Players”). The other problem comes from when players engaging in game commerce activities interfere with day-to-day game play for ordinary players. This can range from monopolizing game resources in order to farm them most efficiently to broadcasting annoying advertising announcements for their services and clogging up the game’s communications channels (see Chapter 21). The biggest problem with game commerce is that it is lucrative. Some estimates place total gold farming revenues at over $1 billion worldwide3. Unfortunately, this kind of money creates problems both within the industry and outside it. There have been a number of cases of employees using their access to online games to fraudulently create virtual items for sale. There is also the growing problem with online criminals targeting MMOs because of the ability to convert stolen account information into cash with little to no risk.

A MUSEMENT P ARK E CONOMICS Many game-commerce problems are due to the simple, abstract economic systems that are found in many online games. Though these systems are called “economies,” they are really amusement parks. There is no supply and demand. Players “ring the bell and win a prize!” In some sense, problems arise because the games do not fully embrace their amusement park “nature”: assets can’t be stolen, but they can be bound to the player who picks them up; resources don’t have weight or size, but players have limited inventories; players can teleport or fly around quickly, but can’t take their characters to another game server or shard; the games are supposed to be “fun,” yet are designed around a treadmill or “grind” to force players to forever accumulate resources and repair “worn” items. In some sense, these game’s economies are not really meant to be played for fun. Rather, they act as surrogates for the long lines and height restrictions that one finds in a traditional amusement park. After all, what is the requirement to accumulate resources but a way to delay players from entering “high-value” instances or dungeons? And what are level restrictions, but ways to limit when a player can access certain adventures? For many players, game commerce gives them a way to “cut to the front of the line” and “grow a couple of inches” so they can ride the roller coasters instead of being stuck on the kid’s rides.

Chapter 22 Game Commerce

227

By this measure, gold farming, power-leveling, and the other forms of game commerce are symptoms of game design failures. After all, gold buyers and other game commerce consumers are giving money to someone else instead of the game operator in order to have the entertainment experience that they desire.

A LTERNATIVE M ODELS For a long time, the dominant business model for the online game industry has been “purchase and subscribe,” whereby a player would buy a shrink-wrapped game box and pay a monthly subscription to play. (It should be noted that before Internet Service Providers (ISPs) moved to flat monthly fees, many games and ISPs had a metered service where players paid by the hour or minute.) World of Warcraft, Lord of the Rings, and most other “major,” traditional MMOs follow this model with a standard retail price of around $50 for the game box and between $10 and $15 for a month’s subscription. A number of companies have tried variants of this basic model. The most familiar alternative is to provide the game as a free download with a monthly subscription, as found in EVE Online and some of the older, larger Asian MMOs. Conversely, ArenaNet’s Guild Wars is purchased, like a standard game, but there is no fee to play online. No one else has really adopted this model for a persistent world game even though it was very successfully pioneered by Blizzard’s Battle.Net for the Starcraft, Warcraft, and Diablo games. A free online service combined with a purchased game is found routinely with first person shooters and real-time strategy games. However, for these games, the online service is often little more than a lobby. Also, publishers have been quite willing to shut down the online service, almost on a whim. Subscription games with a persistent world or economy are the primary victim of game commerce problems. Over the past several years, the “free-to-play” (F2P) model has rapidly emerged. This business model is usually based on a game that requires no subscription to play, but collects revenue by the sale of individual virtual assets (the virtual currency is purchased in a number of ways, such as credit cards, debit cards, phone-based payments, wire transfers, or pre-paid cards). The F2P business model grew popular in Asia with the tremendous success of games like Nexon’s KartRider, MapleStory, and Audition. Recently, the F2P model has grown in Western markets because of the popularity of Asian games as well as the development of original game titles such as EA’s Battlefield Heroes.

228

Protecting Games: A Security Handbook for Game Developers and Publishers

Interestingly, some of the earliest adapters of the F2P were US-based text MUDs, such as Iron Realms’ Achaea, which launched with virtual currency purchases in 1997 and had its first virtual item auction in 19984. Iron Realms uses a dual currency system with one currency based on time in-game and the other based on direct purchases. The only type of trading that this system allows is between the game’s two currencies5. It should be noted that some games earn revenue from advertising or other marketing activities like surveys which are, in turn, linked to virtual item purchases. There are seemingly endless variations on these models. Jagex’s RuneScape is free-to-play, but has a low-cost monthly subscription option that gives a number of advantages ($5.95 per month)—a strategy that is also used in Disney’s Club Penguin. Linden Lab’s Second Life’s primary revenue comes from selling virtual items and renting virtual real estate. Many F2P games still include an actual ingame economy just like the subscription games discussed here and are vulnerable to the same sorts of game commerce problems for this portion of their business. Finally, there is the “broker” model—where an online game earns funds by brokering transactions between buyers and sellers of virtual goods and earns a transaction processing fee. Linden Lab earns some money from this model and IMVU does as well. In some sense, Apple’s App Store and iTunes use this same strategy. The challenge for the broker model is that the transaction processing margins need to be relatively large to handle any payment problems that occur, such as charge backs (see Chapters 27 and 28 on money and payment security issues) and bandwidth for large digital items. For Apple’s App Store, the company takes 30 percent of the transaction6.

O N V IRTUAL I TEMS Who owns your virtual assets? The game developer or operator? The player? This question has vexed the online game and virtual world industries from the days of MUDs. The general perspective of most developers is that the company owns all of the assets and that the player is simply renting access to them—much as they would a subscription to HBO. The assets and characters are non-transferable, have no intrinsic economic value, and can be altered or removed at the whim of the developer (as can the player).

Chapter 22 Game Commerce

229

There are excellent reasons for this. Game developers have been reluctant to invest in the effort needed to build highly robust, transactional, and reliable systems to store virtual asset information. Online games are in a constant state of flux and so the developers are also concerned that any alterations to the value of virtual assets (nerfing) might incur a liability for the company because players had already “invested” in those assets. Other questions include addressing what happens when the game comes to an end and issues related to gambling arise, as many online games include a chance element (see Chapter 31). Others, most notably Raph Koster7 and Erik Bethke, have argued for what many call an “Avatar’s Bill of Rights” 8. Tony Walsh has argued for further “rights” related to data9. The term “avatar” is more than a bit misleading. They are really arguing more about the rights of players in online games and virtual worlds. They make many excellent suggestions from a best practices perspective and many of the issues that they raise are far beyond the scope of this book. A couple of issues that are relevant include the ownership of virtual assets and avatars and the rights of players in relation to banning and punishment (see Chapter 23). The essential insight highlighted by the “Avatar Rights” movement is that players ascribe substantial value to their game characters and virtual assets. The willful denial of this fact has facilitated the growth of gold farming and criminals who target online games, in some sense. Because developers don’t consider the value that players put in their virtual “stuff,” customer service is often not responsive to player complaints about lost items. Also, the game systems are not built to easily log, track, remove, and restore these items in case of loss or theft. In some sense, this is ironic—the same game companies that argue vigorously that the virtual items have no value, at the same time are extraordinarily reluctant to restore players’ characters or virtual items after alleged theft. The argument is typically made that the players are abusing the system by allowing their items to be stolen (or, actually, selling them) and then making a complaint to the game operator. If the items have no value, restore them. However, this is not a matter of rights; it is a matter of good business. Bethke proposes a “Better EULA” 10, not some sort of formal and universal declaration of rights. The real key to this issue for online game businesses is to maximize their revenues and minimize their costs. The extent to which expanded ownership of virtual items by players increases the popularity of a game or the revenues earned from each player is the extent to which online developers should extend rights and control of virtual items.

230

Protecting Games: A Security Handbook for Game Developers and Publishers

G OLD F ARMING Gold farming is almost certainly the most serious game commerce problem for most online games. After all, gold farmers are playing the game for money and are therefore much more highly motivated than ordinary players playing for fun. From a game-play perspective, these players are not (usually) cheating; they are simply playing the game the wrong way (gold farmers are almost always violating the game’s terms of service, but not exploiting or breaking the game play mechanics). The major irritations that gold farmers cause for other players include: Resource Monopolization—Gold farmers ruthlessly optimize their game play and actively seek out the highest-value activities and items in the game. After all, these items are worth the most to the less-motivated players, who are the farmers’ customers. Anti-Social Behavior—Generally, gold farmers have no time or interest in communicating with other players. They are playing to make money. Interestingly, the growing practice of using “instances” (a portion of the virtual world that is only available to an active group of players, like the people riding on the same roller-coaster car) could help minimize this problem by allowing gold farmers to self-segregate and no longer annoy other players. Aggressive Marketing—The best place to sell items is when and where people use them. Gold farmers are very creative in flooding available communications channels with their sales pitches. It would be interesting to see the effect on gold farmer marketing of separating game play from “inventory adjustments.” ArenaNet’s Guild Wars has a limited number of skill slots that are set at the beginning of a play session and the game is highly instanced. This may reduce the value of intrusive marketing. Some games have restricted communications to “shouting distance”—a more realistic option, but many do support the ability to broadcast messages, which definitely amplifies this problem. Most of the countermeasures today are targeted towards the gold farmers, not their customers. One could make an analogy to the proven futility of this approach as seen in the “war on drugs.” After all, if there are no customers, there will be no gold farmers. The main objections to gold buyers are: Unearned Rewards—Players who buy virtual currencies, items, or characters are perceived to not have “earned” them. In some sense, this is a problem for Achievers and Explorers who view accomplishment in the game in terms of their acquired assets and knowledge.

Chapter 22 Game Commerce

231

Incompetent Play—Players who buy items or characters have not experienced the portions of the game that allowed them to know how to use the items or characters and are thus unable to play at the same level as traditional players. This is one of the main arguments against power-leveling, discussed later in this chapter. Gold farming’s main impact is on customer service and retention. If players are unhappy and complain, it costs the game operator money for additional customer support and if players are sufficiently angry with the gold farmers and quit playing, there is a serious problem. Interestingly, Sony set up the Station Exchange in late 2005 to legitimize these real-money transactions between players and bring them in-house. Sony found that this change reduced their customer service call minutes related to virtual item trading from 40 percent to 10 percent11. The reduction in customer service expense was probably substantially more valuable than the almost $275,000 that Sony earned in sales commissions during the first year of the service. Unfortunately for game companies, players will call and complain about problems with their virtual item trading—whether the transactions are permitted by the game or not. The general challenge for game developers is that the value they put on fighting gold farming and other game commerce activities is far less than the value that gold farmers put on their own business. From the perspective of the game developer, gold farming is a customer service problem. Blizzard, the developer and operator of World of Warcraft, claims to have spent only $200 million in upkeep since the game launched in 200412 or just $50 million on average in each of the last four years. As the most popular game in the world during this period, World of Warcraft is likely responsible for a majority of the estimated $1 billion in gold farming revenues per year. The huge disparity between $50 million for total annual operations (including everything from customer support to technical support, hardware, and bandwidth) and any significant fraction of $1 billion clearly shows the huge resource disadvantage of any game developer compared to the gold farmers. Gold farmers will use anything and everything to support their business. If the game allows free or introductory accounts to recruit new players, the gold farmers will use them as “mules” to pick up, transport, and store collected items and virtual currency so that the real farming accounts are less visible to the game. Gold farmers will also use these free accounts to broadcast marketing messages until the accounts are banned. After all, if the account is free, there is no real cost for the gold farmer... a topic that will be of particular importance when I discuss gold frauders, later in this chapter.

232

Protecting Games: A Security Handbook for Game Developers and Publishers

All hope is not lost. There are countermeasures that can be taken to help control or stop gold farming and other forms of game commerce. Many of the techniques are used by game companies already. Some may change the game-play experience in an unacceptable way and a number are far from perfect. Hopefully, however, they will give game developers some additional tools to add to your anti-gold farming arsenal: Eliminate Character and Item Exchange—This is the “nuclear” option. The problem is that players really like to be able to exchange game items and currency. Eliminating the exchange of characters or accounts is very difficult, as it is problematic to implement and enforce a strong, effective identity system (see Chapter 29 on identity). Soul-Binding—This technique is fairly common. An item is bound to a character once it is found or earned. This is a limited case of the eliminate trading option. Player-Binding—Instead of binding items to a character, simply bind them to a player’s account. This may also encourage players to horde items for later use by additional characters created later, potentially extending their duration as a customer. No Private Exchanges: Internal Open Market—All items (and, potentially, characters) are exchanged via an internal open market like eBay or a stock exchange. Players bid using in-game currency for the items. The lack of private transactions or gifting will force all gold farming transactions to devolve into power-leveling, a much more limited business. Gold Farmer Targeting—Instead of banning gold farmers, griefers, or other game system abusers, simply turn off any game protections that protect the characters. Make the characters and their items “fair game” for other players. Gold farmers then need to decide whether to start another character, which costs time and therefore money, or deal with the risk of losing their loot to other players during conflict. Also, gold farmers may think that they have closed a legitimate financial transaction and find that the player decides to steal the item from the farmer. This could force gold farmers to use high-level characters to execute or monitor transactions, making their business more costly. Loot Detection—Large concentrations of game currency or items could be detectable via a spell or skill, making gold farmer treasure stores or players targets. This could be used in conjunction with gold farmer targeting. Pure Barter Economy—The lack of a standard in-game currency will force gold farmers to spread their efforts over the entire range of game items. This also makes the game economy more dynamic and vulnerable to legitimate player manipulation.

Chapter 22 Game Commerce

233

No Gifting, No Dropping—The ability to give an item to another player is the primary mechanism for gold farmers to complete their transactions. Jagex implemented a variation on this system for RuneScape that stopped “unbalanced trading,” whereby players were using the game’s trading mechanism as a “covert gifting channel” by trading items of vastly unequal value13. They also restricted the ability of a player to drop items so that others could retrieve it. Leveling Premium—Power-leveling is particularly difficult to stop, as discussed later in this chapter. Players can always find ways to exchange account information. Instead, make it really inexpensive for players to buy their way up to a higher level. Charge a nominal amount per month for a higher-level character: add $.10 per level. So, to start at level 2, the game subscription would be only ten cents higher, but to start at level 50 would add $5.00 per month. Buy Everything: Pure Free-to-Play—If you want an item, you have to buy it with real currency. This is the purest form of the “free-to-play” business model discussed previously. Again, power-leveling is the only remaining game commerce concern. Dual Currencies—Support a time-based currency, based on game play and in-game activities, and a money-based currency. Allow players to trade between the two via a blind, open auction. This is the method pioneered by Iron Realms5. Item Exchange Aging—Items “decay” the more often they are traded. This reduces the in-game economic value of farmed items. It also creates a dilemma for a gold farmer: The fewer trades, the more valuable an item is. However, the fewer trades, the easier it is for game developers to back-track item exchanges and detect the gold farmers. The decay process can affect the item’s performance or simply consume the item. Once an item has been exchanged (for example) three times, it simply disappears. Badging: Pure Experience-Based Play—Players gain the ability to use items based on completing different quests, dungeons, or other in-game achievements, not based upon finding the items or accumulating currency. More complicated variations can require multiple badges to use certain items with the ability to mix and match badges to configure a character as the player wishes. The only currencies in such a game are time and effort. Real Game Economy/Corrupt Game Commerce—Having a rich economic system with extensive trading and market manipulation options will allow regular players to engage in economic warfare. If items have weight and size and there is no teleportation and player versus player conflict is allowed, gold farmers face risk and competition from regular players. Many abstractions of a game’s economy and game play mechanisms to make game play “safer” also make gold farming much easier.

234

Protecting Games: A Security Handbook for Game Developers and Publishers

Merchant Account—Have players pay a premium for a legitimate merchant account that allows in-game trading and gifting. These accounts would have additional features to support some level of transaction transparency. The game operator would not become involved in the transaction, but might provide a simple rating system. Conquer Online announced such an option in April 200814. Gift Tagging—Permanently mark items and currency as having been exchanged or traded. There may be a humiliation factor associated with having such items visible to other players in your inventory. The Purist Badge—Create a player badge for players who have never accepted (or, optionally, given) gifts. Every player starts with this badge until they lose it by participating in a transaction. Conversely, players who have given or received items could be given a “trader” badge. Virtual Item Honeypots—This is a dangerous tactic. Consult an attorney. Game operators seed third-party sites that support gold farming transactions with items for sale and then ban the customers after a period of time if they’ve made a several purchases. This may also create a lot of ill will with your customers. Obviously, the game company could make a fair amount of money this way. Frictionless Player Transactions—Fully support inter-player transactions, but only for purchasing additional game currency (for free-to-play games) or additional subscription time. This keeps money in the game operator’s system and basically allows players to play an economic game whereby they have an advantage over gold farmers, because the transactions should be much more efficient as there is no risk. The game company will reduce its regular revenues as players convert game assets into subscription time or currency. Penalize Gold Buyers—Instead of targeting gold farmers, target gold buyers. However, instead of banning the players, fine them enough so that they will have lost more than if they didn’t buy gold. Reset their account to a check point prior to the transaction. If a player buys 200 gold from a gold farmer, fine the player 400 gold. There is no need to correlate the time of the punishment with the crime. This means that once a gold farmer account is identified, it can be used to target gold buyers; and the gold farmer won’t know that their account has been compromised. Slow Trade—Once an item has been traded, it cannot be traded or transferred again for some period of time. This can be helpful in detecting account looting by online thieves. Also, it slows down the gold farming pipeline, if there are multiple transfers between players’ characters.

Chapter 22 Game Commerce

235

Usage Limitation—China and some other countries have instituted usage limitations where players are allowed to play only for a couple of hours. If they play longer, they will earn reduced experience and rewards. After five hours, they will earn no experience or gold15. This effectively turns games back into a metered play system which will substantially increase costs for gold farmers, while having little practical impact on regular players. If a game’s usage limit is set at five hours, costs are increased more than a factor of five (as the reduced experience after two hours could potentially drive a gold farmer to need 12 accounts to provide 24-hour coverage at full experience). Deep Logging and Analysis—Fully track the history of each individual item from the time it is created until it is destroyed. Track the transactions that move the item from the game system to a game creature or spawn point or quest through each and every character that has involvement with the item. Even helping kill the monster that drops an item without picking up the item would result in a logged event. This should help identify all of the accounts involved in gold farming, even indirectly, as well as help isolate exploits and other game problems. Good logging is not useful without corresponding analysis tools. Virtual Salary—Give players the option of earning a virtual salary through time of play, level, or even direct additional subscription payments. This would allow players who don’t have as much time to play to bypass “the grind” without resorting to buying from gold farmers. This is essentially an alternative way of presenting the free-to-play model to players. Delayed Banning—Valve Software has long instituted a delay in the time between when a player has been caught cheating and when they are banned16. Recently, Blizzard has used the same strategy for World of Warcraft 17. The advantage of this approach is that it makes it much more difficult for a game cheater or gold farmer to isolate the method used to detect their activities. Booster Decks/Personal Treasure Chests—Instead of selling specific items, sell packages of randomly allocated items or have them dropped as treasure. Then allow players to buy and sell the items via an in-game service and let the players set the prices (see the section called “Potential Solutions,” later in this chapter). Identity Tokens/Improved Authentication/Strong Identity—A strong identity system creates improved accountability. Recently, Blizzard added support for a low-cost identity token ($6.95 each) for players of World of Warcraft 18. This will certainly help reduce fraud by online criminals and make it much more difficult for players to assert that their accounts have been stolen. Such a scheme probably has more benefit for the company than the players.

236

Protecting Games: A Security Handbook for Game Developers and Publishers

These measures do not have to be used in isolation. In fact, many will work better when combined. Specific game designs and the preferences of the developers may make several of these solutions impractical. However, it is possible that the unique character of a game may also allow other anti-gold farming measures that fit particularly well with the game’s specific environment.

G OLD F RAUDERS , O NLINE T HIEVES ,

AND

I NSIDERS

In early 2008, it appears that there was a turning point in the battle between game operators and gold farmers. It seems that the game operators’ efforts in 2007 to suppress gold farmers were succeeding. However, instead of driving gold farmers out of the industry, gold farmers changed their way of doing business—and really began to hurt the game operators: I think the issue of farming is higher on the radar now than it ever has been. The behind-the-scenes things are really frustrating. A lot of these farmers are essentially stealing from us. What they do is they charge us back all the time. They use a credit card—sometimes stolen, sometimes not—to buy an account key. They use the account for a month, and then they call the credit card company and charge it back. We have suffered nearly a million dollars just in fines over the past six months; it’s getting extremely expensive for us. What’s happening is that when they do this all the time, the credit card companies come back to us and say “You have a higher than normal chargeback rate, therefore we’ll charge you fines on top of that.” We’re really trying to get on top of that. We’re taking our current efforts up about five notches to Defcon 1 on this issue. They bug us even more than they bug our customers, and we’re definitely taking steps to implement rigorous anti-farming efforts. It’s actually really amazing to sit and watch these people work. I’ve personally sat with [our customer service team] as they’re tracking a farmer, and you’ll see a mob spawn—this [the gold farmer’s] got a bot that within half a second [and] has them moving towards the creature even if it’s halfway across the zone. It’s a serious problem. —John Smedley, CEO, Sony Online Entertainment [emphasis added] 19 Gold farmers no longer buy the game and pay their subscriptions until they are banned; they now are using stolen credit cards or legitimate cards and charging back their purchases. After all, this substantially reduced their costs, particularly as the game companies became more effective in their banning efforts.

Chapter 22 Game Commerce

237

“We’re seeing a lot of stolen credit cards. Say you buy gold from a service in China—you may not know it’s in China, but you give them your credit card and buy gold only once. They use these credit card numbers to set up new accounts in these games. They buy an EverQuest account key, farm for a month, and then charge it back to the stolen credit card.” —John Smedley, CEO, Sony Online Entertainment 20 It is unusual and notable for anyone at any company to speak out on security issues, especially when they are costing the company, and Mr. Smedley should be commended. And the problem is not limited to Sony. Halifax bank in the UK decided to stop accepting payments for World of Warcraft because of rising levels of fraud21. Although gold farmers pay their employees a low, but living, wage of as little as $142 per month22, the cost of a game ($50) and subscription ($10 to $15 per month) can be a major cost factor if an account is banned regularly. Of course, things don’t end there. Why even bother gold farming? A gold frauder could use a stolen credit card to buy gold from a player or gold farmers, and then turn around and sell it. Online criminals are getting into the game as well. The value of a stolen World of Warcraft account is $10, whereas stolen credit card account information goes for only $6 according to researchers from Symantec23. Hackers seeded 10,000 web pages with malicious code to steal game passwords24 and even created a web ad slipped onto some World of Warcraft community sites that required visitors to simply roll over the ad to install a Trojan on their computer that stole their account information25. EVE Online had a similar problem with a website involved in real money trading26. Viruses that target online games are now routinely in the “Top 5” list of threats from anti-virus vendors. Account theft and looting is not solely the providence of organized criminals. Players sometimes share account information and those “friends” sometimes take advantage and loot the account27. The final, quite serious, problem that game developers face is with corrupt employees. Insiders have access to the game’s systems and data and can manipulate it to their advantage. In 2006, three employees of Shanda Interactive, including a vice president, were caught duplicating and selling very rare weapons28. This made it very easy to detect their crime. If they had duplicated more common, but valuable, items like game currency, it is a fair question as to whether they would have ever been caught. It is possible for a hacker to attack the game from the outside (see Chapter 32), but, unfortunately, employees are the biggest threat. Online games offer a lucrative target with little to no legal risk. What prosecutor is going to try to argue about the value of virtual items when the game companies’ themselves don’t consider the transactions legitimate?

238

Protecting Games: A Security Handbook for Game Developers and Publishers

Even if game companies do not value virtual items, they are going to need to take virtual item theft seriously. At a minimum, they need to be able to track virtual items and transactions in great detail to be able to undo virtual theft from a customer service perspective. Several of the other techniques listed previously, such as slow trading, can also help minimize the effect of virtual theft. In Asia, some game companies have moved to using cell phones as authentication tokens (by implementing a challenge/response system) as well as for payments. This could be extended to verifying virtual item transfers. Cell phones generally also have an advantage, as they provide reasonably good identification information about their owners.

P OTENTIAL S OLUTIONS The gold farming problem is a serious customer service problem and gold frauding is shaping up to be a real threat to the game industry. There are options. Pure free-toplay games, where players can purchase every item in the game, are much less appealing to gold farmers and frauders. There is still risk that someone can steal an account, but without a market for individual items, it is much easier to restore an account without tracking item trades because this only requires changing a password. Another approach without trading is to move to a pure “badge” system, as mentioned previously. In many online games, currency is really an afterthought and the games’ economic systems are tacked on to core systems tied to experience and adventuring. Rewarding players for their adventuring prowess with badges or achievements is quite natural. These badges can then be used as the currency to “buy” various items. Developers can allow players to earn multiple copies of the same badge by repeating an adventure; they can also make items freely convertible between an item and its constituent badges, and even have multiple combinations of badges that can yield a given item. One system that supports trading and gifting, but has not been plagued by gold farming, is the virtual Collectible Card Game, Magic Online, and other games of its ilk. Magic: The Gathering is one of the most significant games in recent memory. Both the face-to-face and online versions are sold via basic game decks and booster decks. These decks contain random sets of the game’s various cards, but are all sold at certain fixed prices. Players set their own value for the items. The game company does not. The company does, however, collect a percentage of any exchanges of cards between players. This approach allows a game operator to profit from real money transactions without many of the risks. To date, developers have only used this method with cards (real or virtual), but there is no reason to restrict the system in this manner. A game could easily issue treasure chests as its only reward with truly random items to be found in each. Each treasure chest would be the equivalent of a booster deck and so the only design

Chapter 22 Game Commerce

239

variable would be how the treasure chests were issued or earned or purchased. From a design-management perspective, the game developers simply have to concern themselves with the rate at which players can earn treasure chests in the game and make these rewards fairly uniform to eliminate efficient “runs” for gold farmers.

P OWER -L EVELING Power-leveling sounds more exciting than it is. It is also a problem that is very difficult to stop. There are two basic types of power-leveling. A power-leveling individual or company plays the game legitimately to build up a character until it is considered valuable. These firms can also boost a player’s status—players have even paid to boost their achievements on Xbox Live $300 for 3,000 gamer points29. The power-levelers then sell the character. Individual players will sometimes also sell their characters or accounts when they are bored with the game. The other scenario is when a player hires a power-leveling firm to develop a character to spec. This involves outsourcing the game play to the power-leveler so that the purchasing players don’t have to take the time (or, some would argue, develop the skill) needed to create the characters they want. The reason that power-leveling is so difficult to fight is that it only requires the exchange of a user name and password to implement. Although this is most often associated with MMOs, it can occur in any game—a woman arranged to have another player replace her in an online poker tournament at PokerStars. The surrogate player won, but the company refused to pay the $1.2 million prize because only the designated account holder is supposed to play in a tournament30. Strong identity systems can be an effective deterrent to power-leveling, but they may create a cost and convenience barrier for games seeking to be widely accessible to potential customers. It is also possible to identify potential powerleveling by using IP address tracking and monitoring individual instances of the game. This approach is less effective in Asian markets and other locations where players play in Internet cafes. Also, a motivated power-leveling firm (and foolish customer) could use remote control software to operate the game client from the customer’s own computer. Conceptually, a game that requires a credit card would be more secure if the player was able to purchase other (expensive) items using the game account, since a person (hopefully) would be reluctant to share such information. This seems like a bad idea, in practice. There are more serious problems associated with power-leveling. Because power-levelers have access to the players’ accounts, they could break back into an account after they have finished leveling up the player’s character and loot it, use it to market gold farming until it is banned, or otherwise take advantage of the users.

240

Protecting Games: A Security Handbook for Game Developers and Publishers

For example, in a free-to-play game, power-levelers could purchase additional virtual items using any credits the player has in her account and transfer the items out while the player is not logged in. (Humorous Hypothesis: Is the definition of an ethical power-leveling firm one that reminds a player to change her password once they have completed their service?)

E SCORT S ERVICES , S UBLETTING ,

AND

V IRTUAL P ROSTITUTION

This final grab bag of game commerce activities are virtually impossible to detect or control. They all entail players’ intent as opposed to their behavior within the game. Escort services are a more expensive and limited version of power-leveling. Players hire other players to play along with them to be more successful more quickly. Cybersex is often a part of online games. Even a benign kid-friendly game like Habbo Hotel has had difficulties with virtual prostitution where players have engaged in cybersex to earn the game’s currency, furniture31. More disturbing still was the potential involvement of a minor providing virtual sexual favors for real money, allegedly $50 per “encounter,” in The Sims Online32. The legal implications for any game operator are quite serious (see Chapter 30 on protecting kids). Finally, when it seems like you’ve seen every permutation of game commerce tactics, a game player was recently solicited to “timeshare” her online game account. Basically, because her character was already at level 60 in World of Warcraft, the gold farmer was willing to power-level her for free to level 70... an idea that opens up all of the risks of power-leveling33 with the promise of easy money. One can only imagine how many people would be duped by such a service.

S UMMARY Generally speaking, game commerce activities are considered a serious customer service problem at minimum and, with the rise of gold frauding, a potentially serious threat to the online game industry. However, game commerce has one interesting security advantage—it ties players to the legitimate game service, making server piracy much less appealing. The growth of the free-to-play business model does have an impact on gold farming, as the game operator can essentially undermine any secondary market in game items and currency if she wishes. There has been an interesting move by game companies to take advantage of the revenues associated with game commerce. Game companies who consider this route should carefully consider the potential for their game being considered an illegal casino.

Chapter 22 Game Commerce

241

I am personally concerned that the move to partner with third-party companies that provide these secondary market services is quite risky. These legitimate firms can always be undercut by unauthorized transaction services and gold farming operations while the business itself is fraught with high rates of fraud and charge backs. Although the total transaction volumes associated with game commerce may be large, the fees for processing the transactions are hard to protect in the face of unofficial competitors and the fees required for payment processing. The problem of gold frauders and other criminal activity directly targeted at online games does need to be taken seriously. Game companies need to put in place mechanisms to make their games a much tougher target—whatever their view of the value of virtual goods. Although earning $275,000 over a year in virtual sales commissions is nice, the impact of $1 million in charge-back fees in just six months combined with increased processing fees, longer payment hold times, and potential cancellation of service is costly. Some will argue for stronger user education; however, at the end of the day, the game company is the one at risk. These risks may be the real engine that drives changes to the underlying business models and practices used in online games. The “facts on the ground” are that players consider game assets to have real value and courts are beginning to uphold this position. Avoiding the issue opens up criminal opportunities and may not provide the companies with the liability protection that they have asserted.

R EFERENCES 1. R. Bartle (1996), “Hearts, Clubs, Diamonds, Spades: Players Who Suit MUDs,” http://www.mud.co.uk/richard/hcds.htm 2. N. Yee (2005), “Buying Gold,” http://www.nickyee.com/daedalus/archives/001469.php 3. R. Heeks (2008), “Current Analysis and Future Research Agenda on “Gold Farming”: Real-World Production in Developing Countries for the Virtual Economies of Online Games,” http://www.sed.manchester.ac.uk/idpm/research/publications/wp/di/di_wp32.htm 4. S. Davis (2007), “The World of Text MMOs/MUDs: An Interview with Matt Mihaly, CEO of Iron Realms Entertainment,” http://www.playnoevil.com/serendipity/index.php?/archives/765-The-World-oftext-MMOs-MUDs-An-Interview-with-Matt-Mihaly,-CEO-of-Iron-Realms-Entertainment.html 5. M. Mihaly (2008), “Using Dual Currency Systems Is the Best Way to Sell Virtual Goods,” http://lsvp.wordpress.com/2008/02/06/using-dual-currency-systems-is-the-best-way-to-sell-virtual-goods/ 6. Apple (2008),”iPhone Developer Program,” http://developer.apple.com/iphone/program/distribute.html 7. R. Koster (2000), “Declaring the Rights of Players,” http://www.raphkoster.com/gaming/playerrights.shtml 8. M. Zenke (2008), “AGDC08: On Avatar Rights and Virtual Property,” http://www.massively.com/2008/09/15/agdc08-on-avatar-rights-and-virtual-property/ 9. T. Walsh (2006), “‘Data Bill of Rights’ vs. ‘Avatar Bill of Rights’,” http://www.secretlair.com/index.php?/clickableculture/entry/data_bill_of_rights_vs_avatar_bill_of_rights/ 10. E. Bethke (2008), “Better EULA,” http://www.bettereula.com/index.php?title=Main_Page

242

Protecting Games: A Security Handbook for Game Developers and Publishers

11. D. Terdiman (2007), “Real-World Success with Virtual Goods,” http://news.cnet.com/Real-world-success-with-virtual-goods/2100-1043_3-6156925.html?tag=st.num 12. K. Pigna (2008), “‘World of Warcraft’ Costs Just $200 Million,” http://news.yahoo.com/s/zd/20080916/tc_zd/232075 13. Jagex (2007), “Trade and Drop Changes,” http://news.runescape.com/p=kKmok3kJqOeN6D3mDd ihco3oPeYN2KFy6W5vZUbNA/newsitem.ws?id=1007 14. K. Cross (2008), “Recent Headlines for Conquer Online: New Security Features,” http://www.mmorpg.com/gamelist.cfm?loadnews=10547&bhcp=1 15. Shanghai Daily (2005), “Online Games Set Time Limits Against Addiction,” http://english.hanban.edu.cn/english/Life/146200.htm 16. Wikipedia (2008), “Valve Anti-Cheat,” http://en.wikipedia.org/wiki/Valve_Anti-Cheat 17. B. Holloway (2008), “Blizzard’s Gold Farmer Bans Send World Economy into Tailspin,” http://www.massively.com/2008/07/05/blizzards-gold-farmer-bans-sends-world-economy-into-tailspin/ 18. Blizzard (2008), “Blizzard Authenticator FAQ,” http://us.blizzard.com/support/article.xml?articleId=24660&rhtml=true 19. M. Zenke (2008), “A CES Interview with SOE CEO John Smedley (pt. 2),” http://www.massively.com/2008/01/14/a-ces-interview-with-soe-ceo-john-smedley-pt-2/ 20. L. Alexander (2008), “Q&A: SOE, Live Gamer Reveal ‘Live Gamer Exchange’ Service,” http://www.gamasutra.com/php-bin/news_index.php?story=17268 21. J. Leyden (2008), “UK Bank Blames Fraudsters for World of Warcraft Ban,” http://www.theregister.co.uk/2008/02/15/halifax_blizzard_block/ 22. R. Heeks (2008), “Current Analysis and Future Research Agenda on “Gold Farming”: Real-World Production in Developing Countries for the Virtual Economies of Online Games,” http://www.sed.manchester.ac.uk/idpm/research/publications/wp/di/di_wp32.htm 23. BBC (2007), “Cursor Hackers Target WoW Players,” http://news.bbc.co.uk/1/hi/technology/6526851.stm 24. R. McMillan (2007), “10,000 Web Pages Infected by Password Hack,” 25. E. Cavalli (2008),”Trojan Attack Targets WoW’s Info Sites,” http://blog.wired.com/games/2008/03/trojan-attack-t.html 26. J. Egan (2008), “EVE Online Currency Sellers Rip Off Players (Shocker),” http://www.massively.com/2008/07/24/eve-online-currency-sellers-rip-off-players-shocker/ 27. C. Kagotani (2005), “Japan: MMOG Crime Rising,” http://www.edge-online.com/news/japan-mmog-crime-rising 28. A. Xu (3006), “Three Men Tried for Selling Online Game Weapons,” via http://www.playnoevil.com/serendipity/index.php?/archives/763-Insider-Virtual-Asset-Crime-inShandas-Legend-of-Mir-2-IMPORTANT.html 29. V. Cole (2006), “$300 for 3,000 XBL Gamer Points?!,” http://www.joystiq.com/2006/10/03/300-for-3-000-xbl-gamer-points/ 30. A. Darbyshire (2008), “Woman Withdraws Claim to $1.2m PokerStars Winnings,” http://www.iomtoday.co.im/news/Woman-withdraws-claim-to-12m.4382619.jp 31. BBC (2002), “Furniture Strumpets and Debit Card Toilets,” http://www.bbc.co.uk/dna/h2g2/alabaster/A680014 32. P. Ludlow (2003), “Evangeline: Interview with a Child Cyber-Prostitute in TSO,” http://www.secondlifeherald.com/slh/2003/12/evangeline_inte.html 33. T. Baribeau (2008), “Hit Monsters and Get the Gold,” http://www.cuppycake.org/?p=415

23

To Ban or Not To Ban? Punishing Wayward Players

o ban or not to ban, that is the question. In order to maintain order in an online game, virtual world, or social network, it is necessary to do something about troublesome participants. Usually. There is a huge temptation to consider player behavior in light of some notion of civil behavior, just as game companies often view piracy.

T

But game companies are not governments; their goal is to maximize revenues and keep their customers satisfied, not mete out “justice.” There are a number of different areas to consider player punishments. Theft of service via piracy is very different than griefing or cheating. As discussed in Chapter 22, the costs associated with gold farming and game commerce come from customer service issues until the gold farmers transform into gold frauders and online thieves.

C RIME , C REDIBILITY ,

AND

P UNISHMENT

For punishment to be effective, it must be credible. One of the biggest challenges for online games is that it is very hard to make punishments stick. Banning is, in some sense, the least credible form of punishment because identity is so weak in online games (see Chapter 29 on identity). In some sense, player punishments should be ABB—Anything But Banning. After all, what is really being banned is a specific account or identity, not the actual person. In an online environment, the real goal of most punishments is to deter problem behavior, not drive away customers or, in some sense worse, encourage them to create alternative identities. The other danger of driving away players is that at some point their population grows to a size to support a viable “black market service” that can compete with the game operator’s legitimate service. The larger the population of banned or otherwise disaffected players, the larger the potential

243

244

Protecting Games: A Security Handbook for Game Developers and Publishers

customers for a guerrilla, competing service. (There is, of course, the obvious scenario where these players migrate to another online service and help boost its population so that it will grow faster than the banning service.) The other question that has to be addressed is whether the right person is being punished. As noted, for virtually all games, an account or identity is being punished, not an actual person. Console games can use both a player account for punishment as well as the ID of the console, itself. If the account is used for punishment, it may be easy for a player to set up another one using a new credit card or other payment method for authorization. If the console ID is used, there is some question that the player actually owns the console and then there are a number of issues related to the transfer or sale of a console to another person. Finally, there is the question as to whether the punishment fits the crime. Xbox Live took action against players who had boosted their Gamerscores (achievements), most likely via a game save exploit (see Chapter 14). The players had all of their achievements to date removed and any achievements that they had previously earned were made unavailable to the player. In addition, the player’s account was publicly flagged as a “cheater”1. In the future, the player would be able to earn new achievements, but it does not appear that the “cheater” flag could be removed. Although this is almost certainly a clear case of abuse, the question is—how much harm did the player do to the service? There are mostly no prizes or awards for achievements2. The main social power of Xbox Live comes from multi-player gaming, where cheating certainly would be an issue. If anything, this form of cheating would be a great opportunity for a private punishment—letting the players know that they’ve been caught, but not sharing it with others. The cheater’s achievements could be marked “Suspect,” for her eyes only. The player could then be given the opportunity to delete or re-earn the achievement or simply leave the “Suspect” flag in place.

T HE C OST

OF

P UNISHMENT : W HO ’ S B EING P UNISHED ?

Ironically, the richer and more expansive the service, the more costly punishment is for the game provider. Wide-ranging services like Steam and Xbox Live are true “long tail” revenue generators. An Xbox subscriber with a Gold account delivers $49.98 in revenue per year for Microsoft3. This is in addition to any game sales, peripheral sales, and downloadable content sales. Given that many game troublemakers are also highly motivated customers, the annual cost of a banned player could literally be hundreds of dollars. After all, if a player is banned, she is not likely to buy any more games or anything else from the banning company. This also is true for Steam, even though it doesn’t charge a subscription. If banning is effective, a player is highly unlikely to buy additional games

Chapter 23 To Ban or Not To Ban? Punishing Wayward Players

245

The scenario is different when dealing with players who have stolen or pirated goods. Perhaps. If the player is effectively banned, there is no additional revenue that will be earned and, if anything, it may encourage further piracy (see Part II). Another interesting question comes from games with purchased virtual assets or MMOs where players have developed their characters over an extended period of time. Players do feel substantial ownership of these characters and items. Will game companies continue to be allowed to ban players in these circumstances? In China, Shanda Interactive was sued for 11,000 RMB (around $1,600) because the company banned a player. In an earlier case, The9 was forced to restore a banned player’s account and items and even pay court costs4. China has been at the forefront of cases legitimizing ownership of virtual items in games. Most game companies in the US have tried to avoid addressing this issue in court for fear of establishing precedent. There is real risk that at some point in time, courts will decide that game items have value, which seriously restricts potential punishments (or may require the use of third-party arbitration).

P OSSIBLE P UNISHMENTS

AND

C REDIBLE D ETERRENCE

There are many potential ways to punish wayward players. The goal is really to deter troublesome activity, whether it is piracy or cheating or griefing or hacking, or any other misbehavior. Anything that qualifies as an actual crime should be taken to the authorities. Although there has been a reluctance to pursue individuals for computerrelated crimes, online businesses need to be at the forefront of encouraging the prosecution of these individuals and groups. This also means that game companies should build their games to collect evidence that will be useful in identifying criminals as well as make sure the evidence is of sufficient quality and accuracy that it can be used in court. The industry would do itself a service by educating government and law enforcement about the seriousness of computer crime and encouraging vigorous enforcement. The goal for non-criminal players should be to minimize the punishment as much as possible. It is costly to deal with player complaints from a customer service perspective. This applies to both the victims of the various forms of game abuse as well as the perpetrators. The most important question for the game operator is whether to terminate the player’s service and if this will actually credibly deter the player. There are numerous options that a game operator should consider, including the following:

246

Protecting Games: A Security Handbook for Game Developers and Publishers

Game Termination—Ending a game session to avoid further problems. This can be an issue with tournaments or ranked games, as players will use such mechanisms, as seen in Chapter 20, to manipulate the results of the competition. Kicking—Simply removing an offending player from a game session. This can be done by players as well as by game systems. This can either be handled within the game session or as a first stage for more serious action by the game operator. Personal Blacklist—Giving players the ability to personally “ban” others so that they will no longer be able to play together provides an easy way for players to manage troublesome individuals directly. Reputation Systems—These systems can help flag troublesome players. However, the systems are only as effective as the underlying identity system for the game service and the extent to which players can attack the reputation system itself. Game Termination with Prejudice—Ending a game session and giving the offending player a loss or penalty. Care should be taken so that players cannot use the “with prejudice” system to grief other players. Slow Down—Reducing the rate at which the player can play or benefit from playing the game or games at the game service. Suspension—Denying the player partial or full use of the game or game service. Probation—This option can be used either alone or in conjunction with other penalties as a warning or notification of detected abuse with no specific penalty. Instead, the player is “put on notice” that she has misbehaved and further abusive actions will be dealt with appropriately. Status Penalty—Reducing the player’s status, rank, or achievements in the game service for some time period or even permanently. Account Reset—The most severe version of a status penalty would be to completely reset a player’s account and empty it of all earned status, rank, achievements, and virtual items. Public Humiliation—Marking the player’s account when viewed by other players as an abusive player of the appropriate type. The other option is to have a public list of offenders and their crimes. Virtual Fine—An interesting option, for at least gold buying and even gold farming, is to penalize the account by creating a virtual financial penalty. If a player bought 100 gold, penalize her 300 gold. Real Fine—A player could have her account suspended until some actual payment is made either to the game operator or the offended individual or group. This mechanism may be effective as long as the penalty is such that it is preferable to pay it than to quit or start over.

Chapter 23 To Ban or Not To Ban? Punishing Wayward Players

247

Invisibility—Some game services are very loose communities. In these environments, it may be effective to penalize a player by making her invisible to others for many services, like matchmaking. Such players could initiate contact with others, but as a default they would not be presented for matchmaking or other services that expand social networks. Abuser Grouping/Segregation/Exile—When an online game or social network has identified a player as some type of troublemaker, the system can preferentially or exclusively group the troublemakers together. This is more effective with larger communities, as troublesome players may not notice that they have been isolated from the main population. Full or Partial Banning—Banning probably needs to be more than just a user account. In order for banning to work, the game service must be able to reliably identify the offender. For game consoles and PCs, the ban may extend to the equipment, an IP address or range, a physical address, a credit card number, and so on. Game Company Blacklist—As noted much earlier in the discussion of the rich interaction system (see Chapter 9), the larger and more extensive the system, the more incentive that a player has to participate in it legitimately. When the game operator decides to remove a player, credibility is complemented by range. If a player is at risk of experiencing a serious penalty, far beyond just a single game, she may be less likely to cause trouble. Game Industry Blacklist—The casino industry is somewhat notorious for its blacklist of known cheats. The regular game industry could put a similar service in place to ban real troublemakers from all online gaming. This would require addressing some legal issues, but it may be possible for game companies to collaborate to truly ban certain individuals. Arbitration—Today, game companies are judge, jury, and executioner. However, as games grow and players become more vested in their gaming experience, a player who has been banned or otherwise punished may take legal action to reverse her penalty, as noted in the Chinese virtual property cases. By incorporating an arbitration clause in the game service’s terms of service, game operators may be able to avoid such appeals going to court. An arbitration system by a neutral third party may also minimize customer complaints about player penalties. Trial by Jury—Another option for meting out justice in a game is to use the players themselves as the judicial system. Depending on the nature of the game and the crime, it may be possible to select a random “jury of your peers” to determine guilt and assess penalties. This adds legitimacy to the process and has the added benefit of reducing costs for the game developer.

248

Protecting Games: A Security Handbook for Game Developers and Publishers

This is by no means an exhaustive list of player penalties. Game developers can even integrate penalties into the game experience. For a while, Second Life had a cornfield where players were sent if they got in trouble with Linden Lab administrators5. Even more thematically accurate, the Rome-themed MMO, Roma Victor, used virtual crucifixion for punishment6. The only danger with some of these public, in-game penalties is that certain players are more interested in attention and so these penalties turn into rewards and achievements. Knight Online penalized players who were found using exploits by causing them to suffer double damage from other players and creatures as well as having their character’s level reduced substantially below the level it was when they were caught7.

S UMMARY The most severe punishment that can be meted out against a player is banning his or her account; actually banning a person is almost impossible. There are also very legitimate questions as to whether the game company is actually punishing itself by removing future revenues. Even worse is the potential for an aggrieved player to sue the game company to restore her status or service. Some problems, like gold farming, may not even be amenable to banning as a penalty. A ban may be considered simply part of the cost of doing business. A number of games and social networks refer to dropping the “BanHammer” when they ban a number of participants. This is probably an apt description. Banning is a rather blunt instrument for punishing troublemakers and it might not even deter its targets. Also, the game operator may hit her own “thumb” instead of the intended miscreants. The use of lesser punishments is promising. Gaming is an entertainment industry. The goal is to entertain customers and earn revenue from them. It is certainly important that companies do something to address players’ misbehavior, but the real goal is to keep them (and as many other players as possible) playing.

Chapter 23 To Ban or Not To Ban? Punishing Wayward Players

249

R EFERENCES 1. Microsoft (2008), “Gamerscore Corrections,” http://www.xbox.com/en-US/support/systemuse/xbox360/gamerprofile/gamerscorecheating.htm 2. Johnathan (2008), “The Old Spice Experience Challenge: Earn Achievement Points to Win Fabulous Prizes,” http://news.filefront.com/the-old-spice-experience-challenge-earn-achievement-points-to-winfabulous-prizes/ 3. Microsoft (2008), “Xbox Live Subscription Cards,” http://www.xbox.com/en-US/live/memberships/subscriptioncards.htm 4. S. Fu (2008), “Shanda Gamer Sues for Emotional Damages After Game Account Sealed,” http://www.pacificepoch.com/newsstories?id=130010_0_5_0_M 5. T. Walsh (2006), “Hidden Virtual-World Prison Revealed,” http://www.secretlair.com/index.php?/clickableculture/entry/hidden_virtual_world_prison_revealed/ 6. J. Lees (2006), “Virtual Crucifixion Punishes Bad Behaviour Online,” http://www.joystiq.com/2006/03/23/virtual-crucifixion-punishes-bad-behaviour-online/ 7. MMORPG (2007), “Recent Headlines for Knight Online: Accounts Penalized for Exploits,” http://www.mmorpg.com/gamelist.cfm?bhcp=1&loadnews=7098

This page intentionally left blank

Part

V

The Real World

In this part, you’ll find the following topics: Chapter 24, “Welcome to the Real World” Chapter 25, “Insider Issues: Code Theft, Data Disclosure, and Fraud” Chapter 26, “Partner Problems” Chapter 27, “Money: Real Transactions, Real Risks” Chapter 28, “More Money: Security, Technical, and Legal Issues” Chapter 29, “Identity, Anonymity, and Privacy” Chapter 30, “Protecting Kids from Pedophiles, Stalkers, Cyberbullies, and Marketeers” Chapter 31, “Dancing with Gambling: Skill Games, Contests, Promotions, and Gambling Again” Chapter 32, “Denial of Service, Disasters, Reliability, Availability, and Architecture” Chapter 33, “Scams and Law Enforcement” Chapter 34, “Operations, Incidents, and Incident Response” Chapter 35, “Terrorists” Chapter 36, “Practical Protection”

251

24

Welcome to the Real World

elcome to the real world. After all, games do not exist in isolation: they are built by companies with employees, partners, and customers. This part of the book focuses on a number of security issues that affect games during development and after their deployment into the real world. There are issues that affect the security and essential health of a game and a game business that are not traditionally considered “security issues.” I asked a long-time colleague and attorney Joseph Price to help address some of the legal issues that can affect a games business and brought in Marcus Eikenberry to discuss some of the problems with money and payments that can bring any business to its knees.

W

“The Insider Problem” is widely perceived to be the single largest security issue for any organization. After all, employees need to be trusted if they are going to be able to do their jobs and sometimes that trust is misplaced. For game companies, the three most critical insider problems are code theft, data disclosure (both of which can affect any game), and fraud against online game services. Increasingly, games are too big to be built, marketed, and operated solely by internal company employees. Working with partners raises additional issues. One especially common problem is that security requirements and responsibilities are not adequately addressed in the contract between the parties. There are also interesting issues related to the licensing of games to, and from, other companies. Money is perhaps the oldest “virtual asset” and the economy is the one game that almost everyone plays with great enthusiasm. I have closely followed ecommerce and the evolution of online services for years, but I have never seen a good explanation of how payments really work for businesses and what it can mean for a company. My own experiences in this regard have been fairly painful and eyeopening. Because of the topic’s importance, there are two chapters on money issues.

252

Chapter 24 Welcome to the Real World

253

Establishing strong identity has been a theme and a security topic from the very beginning of this book—identity affects piracy, cheating, griefing, gold farming, and all of the other topics discussed so far. Knowing your customers are “who they say they are” is very powerful, but it is difficult to maintain a good balance between convenience and strong identity. If it is inconvenient or time-consuming to join a game, many potential players won’t participate. Conversely, people often behave very badly when there is no accountability for their actions. Anarchy reigns without a strong identity relationship with your customers. The market for children’s games and online services has grown explosively in the past several years. Protecting children is a unique challenge for developers and game operators because there are laws and expectations for security that do not exist for players in general. Often, game companies and online service providers avoid children as a market that is “too hard.” This is a bit extreme; I’ll argue that there are some benefits to the children’s market that do not exist for other consumers. The popular perception is that only children play games. There is one aspect of the games industry that the general public does not associate with children: gambling. There are many ways that game companies can stumble into gambling and as people innovate with game business models as well as advergames and contests, their legal risks are growing. Although there is no inherent problem with the gambling business per se, you don’t want to create a casino or lottery by accident. Governments carefully regulate all legal gambling businesses and there are severe penalties for companies and individuals who don’t follow these rules—accidentally or not. One could not have a security book without addressing some traditional IT security issues and there are a number of these issues that are particularly relevant to game businesses: Denial of service and availability are key requirements for any online service. The growth of the IT and IT security industry has made addressing these concerns much easier than it used to be. We should not forget that there are villains—the hackers and online criminals who may attack a game or use your game to prey on your customers. Law enforcement has not been a very effective ally in this fight and the attitude of game companies towards the security issues in their games may make the security situation worse. Things go wrong. Security incidents will occur. We are often judged by how we respond to adversity. Most security incidents occur during the operational lifecycle stage, but developers and security professionals spend very little time focusing on handling real security incidents when they occur. Although it is nice to think that security measures will always succeed, it is essential to plan for failure and recovery. Finally, the topic of terrorism and virtual worlds has gotten the attention of the mainstream media. One could hardly write a book on security and games without discussing the issue, at least briefly.

25

Insider Issues: Code Theft, Data Disclosure, and Fraud

mployees are in the best position to do damage to any company. They have legitimate access to a company’s valuable assets. Such insiders are of particular concern for any company whose value is tied to its intellectual property and online services. Game companies are particularly vulnerable, as their value is tied to both.

E

In many cases, insider security issues are inadvertent: caused by negligence or ignorance or simple laziness. Part of this is an artifact of the history of game development as an informal, garage-based business. Formality, procedures, and controls are often seen as anathema to the creative souls of game developers. The industry has changed. Computer games now regularly cost millions of dollars to develop and can generate tens or hundreds of millions of dollars in revenues. There is a lot that is worth protecting. There have been a number of cases where the code for a game has been compromised during the development process. This can result in months-long delays while the game is reworked. There have also been incidents where a finished game has been lost or stolen. These cases are particularly costly, as a game’s anti-piracy system is often incorporated at the end of the production process and therefore there are no security measures in place to protect the game from being widely distributed. In contrast, online games are particularly vulnerable to insider fraud. Virtual items are just entries in a database and can be trivially duplicated by a user with access to a game’s servers. Insider fraud concerns are as much about preventing the perception of abuse as reality. The perception of fraud or bias by a game operator can undermine the service’s reputation with its customers. This perception is one of the reasons that game companies need to be very careful about allowing employees to play their own games on public servers.

254

Chapter 25 Insider Issues: Code Theft, Data Disclosure, and Fraud

255

There are technical solutions that can help manage insider threats and errors. However, technology is only a complement to hiring the right people, training them well, and holding them accountable for their actions.

C ODE T HEFT

AND

O THER D ATA D ISCLOSURES

with J. Price The process of developing and supporting games has grown steadily more complex. Localization, audio, and art may all be developed by different studios around the world. This requires increased formalization of security processes to protect the game project. Code theft has become a notable, and highly preventable, security vulnerability for the games industry. The “garage engineering” mentality is still too prevalent in an industry with multi-million dollar development budgets and gross revenues for individual games over one hundred million dollars. A game’s code-base and art assets are just too valuable to be left easily accessible on the Internet—especially in an industry that regularly complains about losing many millions in sales to piracy. HalfLife 2 was compromised by hackers breaking into an employee’s computer from the Internet during the game’s development, allegedly resulting in a four-month delay 1. There are two sets of costs in cases of code theft or data disclosure to consider. First, it costs tens of thousands of dollars (if not more) to extend a game’s development by a single month. One month’s delay would probably pay for a substantial suite of IT security tools and, perhaps, the IT staff to run them. Second, many major game titles earn tens of millions and, in some cases, more than $100 million within the first month of launch. The cost of a delay and piracy are both substantial. Microsoft earned over $300 million in the first week after Halo 3 launched 2. Although Halo 3 was not the victim of a security leak, Halo 2 3 and Grand Theft Auto 3 4 were both compromised prior to launch. There is also the issue of compromising other companies’ code: The physics engine from Havok was allegedly part of the compromised source code for Half-Life 2 and, as licensed software becomes more common in the game industry, this risk could grow substantially. For such major titles, each day of delay could “cost” tens of thousands of dollars in interest alone. FutureValue / Revenues = $300 million; // The chosen sample total game revenues Interest = 5% per year or .05/365 per day;

256

Protecting Games: A Security Handbook for Game Developers and Publishers

The formula for present value is: PresentValue = FutureValue/(1+InterestRate)^(number of days); See 5

For the current scenario, this would result in pure interest costs for a delay of: $41,090 after one day $287,514 after one week (7 days) $1,230,263 after one month (30 days)

This very simple model ignores the costs associated with rescheduling other resources, such as marketing, as well as any lost sales due to piracy. Even worse, these problems are largely preventable. Traditional information security practices such as firewalls, intrusion detection systems, good configuration management systems, or even isolating high-value systems and data from the Internet are easy to implement and inexpensive. A notable complicating factor is the rise of distributed development and outsourcing in the games industry. More sites, more companies, and more people inherently create more risk. In the US there are a variety of criminal laws addressing code theft and related circumstances6. The specific section of the criminal code, in the US or elsewhere, that applies depends on the circumstances of the crime. A common criminal law prohibiting most types of hacking is the US Computer Fraud and Abuse Act (CFAA). Most of the CFAA’s provisions prohibit unauthorized “access” to a “protected computer” coupled with other conduct7. A proactive security strategy is needed to manage these risks. First, do not provide full access to high-value data to everyone. Avoid any connections to public networks that are not absolutely necessary. If people, or companies, cannot access data, they cannot compromise it. Second, make people and organizations accountable. Implement tracking and logging mechanisms: If a problem occurs, it should be possible (and preferably easy) to find the culprits. Fire people. Fine companies. Publicly. Finally, have a recovery plan in place in case of theft or disaster. Games are major businesses; they should implement good back-up strategies and have disaster recovery plans in place, as well as have adequate insurance and other measures to manage business risks8. Hackers and other data intruders are subject to criminal and civil liability. There are at least 40 federal statutes that can be used to prosecute cybercrime; in addition, victims can sue under a variety of civil (money damages) theories. For example, if a hacking victim is attacked by a hacker who works for a company, and

Chapter 25 Insider Issues: Code Theft, Data Disclosure, and Fraud

257

the hack was launched from a company computer (or in some way involved the company), the victim might sue the company and file a range of charges such as negligence, negligent hiring, or negligent supervision. Hackers are often difficult to identify or be made subject to the jurisdiction of the US. Even worse, they are typically what lawyers refer to as judgment proof: They are not worth suing because they do not have enough money to pay damages. It is alleged that a disgruntled former employee at Electronic Arts was responsible for leaking the game Black9 and Ubisoft accidentally posted 2GB of screen shots, videos, and concept art to a publicly accessible server10. In the first case, there is not likely much that can be gained from prosecuting the ex-employee and in the latter case, the company has only itself to blame. A better target for a lawsuit is an entity that failed to prevent the security breach, or otherwise covered up an issue causing more damages in the long run. Ubisoft is suing the company that reproduced disks for its game Assassin’s Creed and who was allegedly responsible for the game being leaked online. These entities have deeper pockets for plaintiffs, and are sometimes easier targets11. In general, courts will impose some form of liability on the person in the best position to prevent losses, particularly if they are aware of the security issues. The best legal defense, therefore, is to avoid security breaches. Security bonding and insurance (if available) may also help. However, most standard insurance polices that companies have for liability and “errors and omissions” protection are written so as to avoid or minimize payouts for computer-security related offenses. Code losses typically occur accidentally or due to the actions of individuals: the source code from Lineage III was allegedly stolen by a group of company employees and sold to another game company. NCsoft claimed losses of $1 billion12, which it is hardly likely to ever collect from anyone. Issues will arise, however, and there are specific laws meant to protect intellectual property and network integrity. Owners of intellectual property (such as game code) can seek protection through trade secrecy, patents, copyrights, and other legislation tailored to their particular industries. In the DeCSS13 DVD security circumvention tool cases, for example, the DVD Copy Control Association tried to stop distribution of DeCSS through state trade secret law, whereas Universal and other studios invoked the DMCA, a federal copyright and anti-circumvention statute. These techniques only supplement good business strategies and effective technical measures. It is an open question whether the DVD industry “won” the war against the DeCSS or whether the decreasing prices of DVDs had a more significant impact on reducing piracy.

258

Protecting Games: A Security Handbook for Game Developers and Publishers

O FFICE IT I NFRASTRUCTURE Many security problems come from accidental disclosures. One of the simplest ways to avoid such problems is to physically isolate high-value data and computers. Although many IT security professionals advocate firewalls, intrusion detection systems, and such, the cost, effectiveness, and simplicity of physical isolation cannot be overstated. A hacker cannot compromise a computer that she can’t connect to. This is especially true as the cost of computers and networking equipment continues to plummet: meaning that it is easier to have some computers dedicated to development and others with access to the Internet. Some inconvenience can be a good thing. Having to change computers or go to a different room to access certain data or services, such as the Internet, removes the temptation to browse or collect unneeded data or waste time. There was merit to the earlier physical security systems where important information was kept in locked file cabinets. Permission was required to access any information and usage was tracked (often under the wary eye of an archivist). I used to work on classified systems, sometimes in a big vault. When we wanted to use the Internet, we went into a different room and logged in from a public computer. Our real work was physically separate. A collateral benefit of this arrangement was that we had much less gratuitous web surfing by employees. I have had access to network logs at a number of large commercial and government sites and the amount of non-work-related web surfing was appalling. Sports, news, shopping, and a surprising amount of pornography was being “consumed” on company, or government, time. My business partner and I had to fire an employee for excessive Internet use. Inappropriate Internet use is a real problem and very costly in dollars and time. It is also a huge security risk. I have had discussions with several individuals at game companies who have implied that certain staff “need” Internet access. If so, the cheaper, more secure solution is to give them a separate computer. Anything that needs to be brought into the internal development or operational system is then introduced via “sneaker net” on physical media, preferably through a software library or configuration management group. This can have an additional benefit of helping track the source of material in case of copyright disputes. The other common, contentious issue is related to remote access. If remote access is necessary, it should be done via dedicated computers provided by the company. Under no circumstances should these systems be used for other purposes (surfing the Internet, playing games, whatever). There are good hardware and

Chapter 25 Insider Issues: Code Theft, Data Disclosure, and Fraud

259

software security tools to help ensure that only specific machines and individuals can access a company’s sensitive networks and computers. This sort of segmentation can also be extended to internal networks; programmers can be isolated from artists and business and marketing people separated from everything. Formal build and test systems should certainly be separated from the general office IT infrastructure, as should anything having to do with money or real operations (see the section called “Sample Game Operations Architecture” in Chapter 32). If utterly necessary, this separation can be implemented via VLANs or other “virtual” technologies. However, human behavior will often tend to unravel these easy isolation technologies. At the end of the day, management and the company as a whole need to believe in and “own” the security strategy, not just the IT guys.

I NSIDER F RAUD There is no worse problem for any organization than a malicious insider. Insiders are already behind the scenes and underneath all of the protections that you have built in to protect your game against troublesome players. This is most obvious for gambling games. Casinos have layers of monitoring to try to stop this problem: Dealers watch players, pit bosses watch dealers, floor managers watch pit bosses, and security and regulators watch everyone. Even so, every so often, the lure of easy money draws in employees. Recently, at the Lakeside Casino in Iowa, a dealer colluded with some mini-baccarat players to alter the cards and help them win at least $12,000. All were arrested thanks to video surveillance14. Two online poker sites, AbsolutePoker.com15 and UltimateBet.com16, have been embroiled in cheating scandals where players, perhaps company employees, used access to the sites’ computers to cheat by seeing the hidden “hole” cards of the other players. Although the stakes are particularly high for online gambling, other games have had notable insider fraud problems. A vice president at Shanda Interactive and two accomplices were found guilty of fraudulently creating and selling virtual items for the MMO Legend of Mir II17. The group earned 2 million Yuan (over $254,000). As discussed in Chapter 22 on gold farming, there is a large market for illicit virtual goods and fraud is particularly tempting for company insiders. There have been many similar incidents reported at other game companies and, no doubt, quite a number that were either handled privately or remain undetected. Insiders can also cause other problems. A Halo 2 developer “for fun” added a picture of his behind into the Vista version of the game’s map editor18. Although this may seem humorous, Microsoft had to re-label all of the copies of the game with the “Partial Nudity” ESRB label, which delayed the product’s launch by one week.

260

Protecting Games: A Security Handbook for Game Developers and Publishers

There are other potential problems. Identity theft (see Chapter 29) and payment fraud (see Chapters 27 and 28) as well as other forms of fraud are often easier within online services, especially those where security concerns were not a core part of the design.

P LAYING Y OUR O WN G AME Online games are no longer a “garage” business. MMOs cost millions to tens of millions of dollars to develop and are designed with the goal of generating many more millions revenues (except for wild independents). Although game developers love their games, the adverse consequences of developer’s cheating at their own game so far outweighs any game design benefits that it just needs to stop. In 2007, CCP Games, developer, publisher, and operator of the science fiction MMO, EVE Online, found itself at the center of a controversy over the disclosure that employees of the company had been cheating to help their corporation (a “team” of players in EVE Online)19. This was not the first time such accusations had been levied against CCP Games employees, but the scale of this incident was quite embarrassing for the company. Fortunately for CCP Games, the incident has had little long-term impact. Game integrity is paramount. There is nothing more important to business than the trust of your customers, especially if everything that you provide is virtual. I have heard (repeatedly) the argument that “Developers need to play the actual game to really be able to support it.” Developers need to find another way. The consequences are just too dire and the temptation is too great. In 2001, the McDonalds Monopoly promotion (an instore ticket-based promotion) was hit by a scandal when it was discovered that an employee of the marketing firm that ran the promotion had been secretly giving winning tickets to his friends and family starting in 1996. That fraud earned the conspirators $13 million and some serious jail time and cost the marketing firm, Simon Worldwide, its contracts with McDonalds and Philip Morris20. It is very hard to estimate the real costs of these types of security incidents. For subscription games, some players may simply not renew; for a free-to-play game, they may simply stop buying as many items. Suppose an MMO has 100,000 subscribers and charges $10 per month. Further, let’s assume a developer (or group of developers) cheats or abuses the game for their own advantage and therefore causes 0.1 percent of the subscribers to cancel immediately. Then, the immediate cost of the security incident would be: 0.1% x 100,000 x $10/month = $10,000/month or $120,000 for Year 1

Chapter 25 Insider Issues: Code Theft, Data Disclosure, and Fraud

261

In a subscription game, suppose this increases the chance that players don’t renew from 20 to 25 percent (again simplifying the subscription model so that everyone leaves at once and had just renewed... the most favorable model from a revenue perspective). The increased loss of subscribers would be: 5% x 100,000 = 5,000 lost subscribers after 1 year

Therefore, the Year 2 loss would be an additional: 5,000 x $10/month = $50,000/month or $600,000 in Year 2 (in addition to the $120,000 who left immediately)

So, the Year 2 losses would be $720,000. One should also model the opportunity cost of new subscribers who decide not to join the game because of their concerns about perceived cheating. This is harder to model. There are players who decide to enroll “for free” because of the recommendation of their friends and then there are those who enroll because of marketing. Both may be reduced in the wake of any cheating scandal. Assume 10 percent of players ordinarily would recommend the game to their friends and this number is reduced by 10 percent (meaning the recommendation rate is only 9 percent). However, the total population of players has been reduced by those who left immediately, so the total population is 95,000. Therefore, the additional lost subscribers (for Year 2) total: 95,000 x 10% x 10% = 950... costing an additional $114,000 in Year 2

Finally, in the wake of the bad publicity, any marketing to “cold” prospects would be less effective, perhaps by 20 percent. One can model this in terms of increased marketing costs to maintain population or by reduced additional revenues; either way, it is expensive. There are many ways to model the consequences of such incidents. Although the immediate cost of an insider scandal may not be that great, even using fairly conservative numbers for a small MMO, one could easily suffer million dollar losses in the second year for these types of incidents. More severe incidents that are handled poorly will drive these costs substantially higher. Free-to-play games that depend on players making virtual asset purchases are likely to be even more vulnerable, because they do not have the inertia of ongoing, and often automatic, subscription renewals to maintain revenues.

262

Protecting Games: A Security Handbook for Game Developers and Publishers

Also, as games mature and move to a steady population, an incident of this sort can tip the game into a death spiral where lost subscribers outnumber new players and drive the game towards collapse.

P RIVILEGING

AND

I SOLATION

The very features that cause problems with developers playing their own games and insider fraud are necessary to the successful operation of an online game. Developers need to be able to create items and exchange them. They need to be able to fully test the game play experience in as realistic an environment as possible. Developers also need to be able to modify a game’s code and its databases. In order to allow payments to be made, customer data needs to be stored somewhere and be accessible. Because these functions are required, they need to be implemented in a secure fashion. In this case “security” means that they are only used when, where, and how they are intended to be used. The first level of control is privileging and (application) user roles. Game operators and customer support staff are separated based on experience and trust with senior personnel given more capabilities than junior staff. These capabilities may be based on job function or individual needs or experience. The main benefit of using a person’s job for privilege control is that it is typically easier to manage. The security industry also has a nice term for it—Role-Based Access Control (RBAC), in contrast with Identity-Based Access Control (IBAC). The other general tactic is to isolate or split functions or operations from each other. The most familiar example is that a business will require two signatures when writing a large check. This strategy can be very effective because multiple individuals need to collude for the system to fail. The notion of a signature/ counter-signature system can be easily implemented for any critical function. Fully automated functions in software can even be split in this manner to protect against failures. There are a number of additional methods that can be used to help address insider security issues: Outside Investigations—If anything goes wrong, use an independent, outside investigator to ensure credibility of the results. This is a standard damage control tactic in other industries and it is equally applicable to games.

Chapter 25 Insider Issues: Code Theft, Data Disclosure, and Fraud

263

Controlled Key Item Creation—First, high-value items, like the blueprints that were the problem for EVE Online as well as the rare items from Legend of Mir II, should probably only be created with the authorization of more than one developer/game master. This would make it notably more difficult for a single individual to abuse the system. Separate Server/World for Developers, Friends, and Families—Set up a separate server or virtual world for developers and their friends and families. This allows them to play, but removes any appearance of impropriety related to any benefits in the public game. No Rewards for Developers, Friends, and Families—If the game has any incentives or awards that have any real value, no employees, associates, or friends or families should be eligible to win or earn them. Key Item Logging—High-value items should probably have a life history that is logged so that their ownership can be tracked back to their creation. Executive and Oversight Alerts and Reports—Any activities that could alter or disrupt the game—item creation, game parameter alteration, and so on— should be regularly tracked and reported to both game operations executives and whatever independent oversight system is used to ensure game integrity. Strong Configuration Management/Split Teams—Developers should not have access to the live system and, conversely, the live team and testing personnel should not have access to the developmental code base. Careful configuration control needs to be in place to ensure the integrity of the code. Employee Game Logging—Although one can debate the merits of developers playing the live game endlessly, it should certainly be clear that developer accounts should be flagged and logged at a much deeper level than regular players. This may include the use of a distinct client version. It should go without saying that developers should not be playing the game from a development system workstation. Independent Logging System—The system logs and auditing systems should be truly independent of the regular game play and data storage servers. It would be best that the auditing systems be developed and maintained by a different team. Take Game Integrity Seriously—MMOs lifeblood is the integrity of their game operation. This is a multi-million dollar business. With over 120,000 subscribers paying $15 per month, any damage to the game’s credibility or out and out corruption could literally break the bank. The consequences for a failure of game integrity could be fatal.

264

Protecting Games: A Security Handbook for Game Developers and Publishers

Insider problems are a particular challenge because they require the developer to look at her own team with suspicion. Business processes need to be understood and shaped to reduce opportunities for fraud or abuse. Logging (with active review of the audit logs) is necessary to provide credible deterrence and support for legal action. Often, little time is spent figuring out how the back-end systems (user management, payments, customers service, game master systems, and so on) of a game service will operate. As a result, all employees are allowed to do everything, just to keep the game running. Careful back-end system design will likely have substantial benefits far beyond addressing insider problems. It will likely improve supportability and reduce operational costs.

Chapter 25 Insider Issues: Code Theft, Data Disclosure, and Fraud

265

R EFERENCES 1. C. Morris (2003), “Playable Version of Half-Life 2 Stolen,” http://money.cnn.com/2003/10/07/commentary/game_over/column_gaming/index.htm 2. Microsoft (2007), “Global Entertainment Phenomenon ‘Halo 3’ Records More Than $300 Million in First-Week Sales Worldwide,” http://www.microsoft.com/presspass/press/2007/oct07/10-04Halo3FirstWeekPR.mspx 3. D. Becker (2004), “Stolen ‘Halo 2’ Hits Pirate Sites,” http://news.zdnet.com/2100-3513-5409959.html 4. R. Fahey (2004), “Grand Theft Auto San Andreas Leaked by Pirates,” http://www.gamesindustry.biz/articles/grand-theft-auto-san-andreas-leaked-by-pirates 5. Wikipedia (2008), “Time Value of Money,” http://en.wikipedia.org/wiki/Time_value_of_money 6. See, for example, 18 U.S.C. §§ 1029 (fraud and related activity in connection with access devices), 1030 fraud and related activity in connection with computers), 1343 (wire fraud), 1831 (economic espionage), 1832 (trade secrets), and 2701 (stored wire and electronic communications and transactional records access) 7. 18 U.S.C. § 1030 8. Insurance Journal (2007), “Fireman’s Fund Launches Product for Video Gaming Industry,” http://www.insurancejournal.com/news/west/2007/06/14/80820.htm 9. T. Spot (2006), “Angry Ex-EA Staffer Leaks Black?,” http://www.gamespot.com/news/show_blog_entry.php?topic_id=24344800 10. K. Kelly (2006), “Ubisoft ‘Accidentally’ Leaks Tons of Assets,” http://www.joystiq.com/2006/09/21/ubisoft-accidentally-leaks-tons-of-assets/ 11. B. Sinclair (2008), “Ubisoft Sues Over Assassin’s Creed leak,” http://www.gamespot.com/news/6195570.html?sid=6195570&part=rss&subj=6195570 12. The Chosun Ilbo (2007), “Game Programmers Suspected of Stealing Code,” http://english.chosun.com/w21data/html/news/200704/200704260026.html 13. Wikipedia (2008), “DeCSS,” http://en.wikipedia.org/wiki/DeCSS 14. Lynda (2007), “Arrests Made at Terrible’s Lakeside Casino,” http://www.essentialestrogen.com/2007/07/arrests_made_at_terribles_lake.html 15. S. Levitt (2007), “The Absolute Poker Cheating Scandal Blown Wide Open,” http://freakonomics.blogs.nytimes.com/2007/10/17/the-absolute-poker-cheating-scandal-blown-wideopen/ 16. M. Brunker (2008), “Poker Site Cheating Plot a High-Stakes Whodunit,” http://www.msnbc.msn.com/id/26563848/ 17. C. Li (2007), “Three Jailed in Online Gaming Scam,” http://www.chinadaily.com.cn/cndy/2007-03/27/content_836887.htm 18. Edge (2007), “Nudity the Cause for Halo 2 Vista Delay,” http://www.edge-online.com/news/nudity-cause-halo-2-vista-delay 19. S. Jennings (2007), “Eve Blows Up. Again,” http://brokentoys.org/2007/05/25/eve-blows-up-again/ 20. P. Patsuris (2001), “Simon Marketing Gets Fried in McScandal,” http://www.forbes.com/2001/08/24/0824dog.html

26

Partner Problems with J. Price

“Si vis pacem, para bellum” (“If you want peace, prepare for war”)1 ame companies are rapidly moving from doing everything in-house to contracting or outsourcing a substantial portion of their work. Third-party game developers build games for publishers, developers outsource art asset creation, and publishers license games internationally or hire foreign firms for localization. The foundation of these relationships is contracts and one area that is often neglected in contracts is security.

G

If you want a good business relationship, write contracts that assume everything will go wrong. Prior to working with the game industry, I spent many years working for the U.S. government with IT contractors and for contractors working with the government and with other companies. Although my work was technical, I rapidly learned that my success was highly dependent on contracts. If the contract was well-structured and thorough, we rarely had to resort to it. If it was not well-structured, life could become a nightmare. My co-author for this chapter, Joseph Price, is an attorney who lives and breathes contracts, and often gets paid to deal with the consequences of poor contracts.

C ONTRACTING S ECURITY ? In some sense, contracts are very much like software. The standard rule of thumb is that 80 percent of software code is written to handle errors. Most of the terms in a contract are there to handle when things go wrong. If implemented properly, a good contract will keep you out of court and, hopefully, help keep the project on track. Save some money while writing a contract and you may be in court for years. 266

Chapter 26 Partner Problems

267

The common answer to almost all of the security issues that we discuss in this chapter is a good contract and structuring the business relationship so that a good contract can be created and its results measured. A contract is the security tool of last resort and is a supplement to good security design and business practices. “Security,” like quality, is quite tricky from a contract perspective because it is so hard to measure. You can’t write security into a contract; what you can do is carefully define what you are doing for protection and, if possible, create measures for accountability when things go wrong. Security is of particular concern to publishers contracting for games from third-party developers and game developers that incorporate outsourced services or products. Whether it is the compromise of the game code during development or the customer support costs associated with game exploits, security failures are exacerbated by the nature of third-party relationships in the game industry. Outsourced products and services can introduce additional security risks. Finally, online games have a unique challenge with both official and unofficial community sites that are associated with a game, but not owned or operated by the game’s publisher. These sites are often the source of malicious code, phishing attacks, and other security problems that target game players.

S ECURITY A CCOUNTABILITY

IN

T HIRD -P ARTY D EVELOPMENT

Third-party developers are motivated to get their games out as quickly and as inexpensively as possible and are typically held accountable for delivering a “great game.” Because the bulk of the fees that these developers earn are typically on completion of a title, their motivation to address lifecycle and operational issues like security and other support services is low (quite reasonably). Publishers and developers need to cooperate to ensure that security issues are adequately addressed during the development process. The computer game industry is changing: A flashy box and fancy graphics will not guarantee success. Games no longer have a 30-day sales cycle, but are moving to a long-term relationship between publisher and player via an online service; game-development licensing needs to catch up with these changes. Although the only security issue that used to be of concern was fighting piracy, now, cheating, griefing, and other issues are comparably important. The game publisher needs to provide an ongoing operational infrastructure to support a game. Customer support, server operations, and ongoing engineering, patching, and maintenance have changed games into services. The nature of the business relationship and deliverables between a game developer and publisher

268

Protecting Games: A Security Handbook for Game Developers and Publishers

must change to match this model. Solid engineering, good design, infrastructure costs, lifecycle costing, and management now matter. Publishers must rethink their relationship and contracts with developers so that contracts match business needs. Factoring security issues into the game-development process is one way to reduce lifecycle costs and risks. Game publishers should engage a layered approach when working with developers and end users. Security risks (which translate into costs) should be considered at each stage of game development. The later security is included in the game-development process, the more expensive it is going to be, particularly considering piracy and code theft that may occur even before the game is released. It is the publisher who will ultimately pay for security failures one way or another. Today, for games from third-party developers, the software is typically provided “as is,” in terms of security. During my discussions with a number of developers, many have said “security is the responsibility of the publisher.” For console games, developers and publishers have often relied on the security provided by the platform; a strategy that has not had good results so far. So, with everyone placing the security responsibility on everybody else, the security “ball” simply gets dropped. If the publisher insists on a security solution, and is willing to pay, developers will apply resources to security, just as they do for animation, art, and game play. In the game contract, the publisher could ensure that its developers agree to appropriate indemnification (acceptance or transfer of liability) for security issues. If this is not possible, the publisher could insist that the developer deploy security that the publisher has rights to and prefers, as part of the game (this is the most common approach today for anti-piracy technology). In other words, the developer should consider incorporating its own security solutions that the developer believes are good enough to warrant tight indemnification or give the publisher the option to require the publisher’s preferred security solution to be incorporated as part of the game. Developers should also consider making security more of a priority as more games are adding downloadable content, virtual asset sales, and other monetization strategies. These may result in substantially larger royalties for the developers, but only if the game is successful.

S ECURITY A CCOUNTABILITY

IN

T HIRD -P ARTY L ICENSING

Online games are increasingly seen as good licensing opportunities. Potential game publishers or game operators get a completed title with the potential for a prompt return of their investment and the game developers can earn substantial royalties in numerous regions. However, licensees are obliged to operate and support these

Chapter 26 Partner Problems

269

games and security problems can turn a potentially profitable license into a costly customer support and marketing nightmare. Griefing alone, much less other security problems, can consume 25 percent of monthly service costs2 and suck the profits out of a licensed online service. In Sony Online Entertainment’s report on its experiment with real money transactions (RMT), SOE found reductions in overall customer support costs of 30 percent simply by supporting these transactions internally3. A key part of the due diligence process for licensing any game should be to determine support costs and risks. Games developed in sophisticated markets like China, Korea, or the US are likely to be thoroughly “tested” by griefers, cheaters, and hackers. It is highly worthwhile to research the “security state of the game.” Most games are not going to be wildly successful. Good control on operational costs including griefing, cheating, gold farming, and RMT may be the difference between success and failure. Another question that is important when licensing games is accountability for security, which can affect both parties. The game developer may be concerned that the licensee does enough to protect the game source and executable code that they provide, while the licensee may be rightly concerned about who will fix security problems and how promptly (and, of course, who will pay to fix those problems). NCsoft’s Lineage 2 server code was compromised, apparently in China. Later, this turned up in several places, including a pirate service in the US that was eventually shut down by the FBI but potentially cost NCsoft millions in subscriber revenues4. Similarly, Cryptic Studios was the victim of a hacker who compromised the server code for City of Heroes as well as knocking several game servers offline5. Security and technical support problems turned into a contentious dispute between Korean game developer, MGame, and the licensee of its MMO Yulgang, CDC Games, in China6. Because of the problems, CDC first stopped paying licensing fees and MGame revoked the game license. Eventually the two companies settled, although one suspects that lawyers were the sole beneficiaries in the dispute. In Korea, a number of game companies outsource security to specialty security service providers, most notably Inca Internet Co. (GameGuard) and AhnLab (HackShield). In the US, the only major game security service provider is Even Balance with its Punkbuster security service. Many companies who license games from Korean developers are required to negotiate a separate license with the security provider. This is almost certainly a poor way to structure a contract; especially from the perspective of a licensee. When licensing a game that uses such a service, it is probably preferable to include the security service in the prime contract with the game company to have unified responsibility for security (and, since the total payments are larger, this gives the licensee a bigger “stick” to push for better security support).

270

Protecting Games: A Security Handbook for Game Developers and Publishers

How does the new game operator control this risk? Here are some options: If the game has been previously deployed, the licensee should do extensive due diligence to determine whether there are known problems with the game. The licensee should also audit the game’s forums and internal trouble tickets (and the time that the company takes to close those tickets) to determine the pace of security problems. This is critical for being able to estimate support costs. If the game company is using a security service or product, this should be bundled with the license cost and the technical security support responsibility should stay with the game developer. A new game operator should not have to initiate a contract for security support. In the terms and conditions for the contract, a maximum pace for security incident trouble tickets should be budgeted with a clear escalation process if serious weaknesses are not corrected. If this pace is exceeded, the game developer should have to pay penalties or give discounts to the licensee. Also, the developer should be obliged to promptly report new security problems found in other regions to the licensee. An interesting collateral issue is the challenge of replacing a licensee. The long saga of The9 and their battle with Blizzard over the licensing of the Burning Crusade expansion to World of Warcraft in China is an interesting example. The companies worked out their issues, but Blizzard was quite unhappy for a long time with the quality of service that The9 was providing to World of Warcraft’s Chinese customers7. The termination of an online game license is especially tricky, because there could be questions about ownership of the customers and any modifications or localization to the game carried out by the licensee. Although many developers license their games as an executable without source code, I actually think that it would be wiser for developers to license or lease pre-configured servers as an appliance (see also sidebar in Chapter 8). This increases control over the licensee and reduces the effort required for support because the developer has full control over the game appliance platform.

S ERVICE P ROVIDER

AND

P ARTNER S ECURITY I SSUES

Games are no longer just sold in boxes at a store. There are electronic distribution services, online game services, payment processors, game arcade operators, and even security service providers. The security performance of these companies can have serious implications for the success of your game. Outages, such as that experienced by Valve’s Steam online game distribution service8, as well as more conventional security problems, can affect the revenues of all of the businesses that use these

Chapter 26 Partner Problems

271

services. The situation can be complicated further by having many companies, subcontractors, products, and service providers involved. When there is a security problem, they will all be pointing their fingers at each other or at you. If someone is thinking about security, the relevant legal issues are raised right before a contract is signed for software or services. Typically, however, security becomes a consideration only when a breach occurs. The French version of Halo 2 was compromised during the manufacturing process9 in 2004 and in 2008 Ubisoft launched a $10 million lawsuit for contract breach and negligence. Ubisoft filed the suit against its U.S. disk manufacturing company for allegedly allowing an employee to compromise Assassin’s Creed10 (resulting in 700,000 illegal downloads). In a perfect world, every contingency will be considered when initially negotiating the contract. In reality, a breach will occur in a way not entirely anticipated, and will be complicated by everyone’s confusion about what actually happened and further aggravated by split responsibilities between the affected parties and other product and service providers. Given these circumstances, it is wise for the licensee and licensor to keep four issues in mind when licensing software or services: Licensee Rights—The licensor will want an assurance, and the licensee should also confirm for its own purposes, that the licensee has the rights to what it is licensing, including all of the elements it relies upon to deliver the product (for example, consider sublicenses when relying on other licensed work). Damages—Consider worst case scenarios and who you are dealing with; a licensee that cannot (or will not) provide monetary relief should be expected to provide its product at an appropriately discounted rate because the licensor will have to spend money elsewhere in anticipation of a breach (if a security software firm, for example, is a small company with few or no assets, its breach conditions or warranty might only be as good as its insurance policy, if any, which should be requested to be part included as part of the contract). Warranty—Anything short of an express warranty, created by an affirmative statement, description, or promise in the license (such as an express warranty as to the security capabilities of hardware or software) will give a licensor pause. Breach and Termination—Consider how you can get out of the license agreement, particularly when a breach occurs, and also consider what damages might be available upon breach. Reviewing the license in the context of a security breach will likely be a complicated effort when the agreement is initially negotiated. There are few laws and regulations that apply in this area of law. Liability will likely rest with the entity that is contractually liable, if there is one.

272

Protecting Games: A Security Handbook for Game Developers and Publishers

If there is a lawsuit, it will need to be crafted based on how the security breach occurred. Good logs and tracking mechanisms are necessary to even begin such a suit. These records need to be created, stored, and handled in a manner such that they can be used in court. It is important to consider forensic issues before an incident occurs. If the license grants rights for software or services “as is,” there are no guarantees, such as the existence of an express or implied warranty (this is often buried in a contract paragraph in which all the words are capitalized and extra difficult to read). If there is any available warranty, it will be, at best, in a legal grey zone; the license may provide a degree of a warranty, complicated by limited indemnification rights, maximum payout restrictions, and subject to third-party licenses that no party to the agreement has ever actually reviewed. Damages and causes of action in court for breach of warranty are generally different than breach of contract. It is common to have exclusive remedies applicable to contractually promised express warranties if, for example, the hardware, software, system, or service fails to comply with an express warranty. For these reasons, the breach of contract and breach of express warranty claims are generally treated as separate claims, even where the express warranty claim arises under a contract between the parties. Service providers (for example, ISPs, social networks, and online games) may find themselves part of a lawsuit involving their customers whether or not they “should” be included. The quickest way to get out of the lawsuit is to have something clear to give to the court that cannot be attacked by the plaintiff or other defendants. Service providers will want to take full advantage of a legal immunity available to them11, and reaffirm that immunity in their service agreement and other contracts. The model to engage is the “conduit.” With the law and typical service contracts on their side, ISPs will escape liability, which will likely lead to another party. A slight warning is warranted to those ISPs and other service providers that move from the conduit role and add functionality. A recent case in California confirming the broad application of immunity included a footnote indicating that any involvement by the ISP that resembles the actions of a publisher could void the immunity: Delfino v. Agilent Technologies, Inc., 145 Cal.App.4th 790, 808 n.25 (Ca. App. 6th Dist. 2006) “We recognize that there is an existing debate concerning whether immunity under the CDA [Communications Decency Act of 1996] applies equally to both publishers and distributors of information authored by third parties and disseminated over the Internet.” (citing Doe v. America Online, Inc., 783 So.2d 1010, 1018-28 (dis. opn. of Lewis, J.) (Fla. 2001)).

Chapter 26 Partner Problems

273

This case leaves the door open for potential liability (for example, if a service provider provided security functionality and those mechanisms were to fail). The contract should be the security measure of last resort. First, design the business so that it has robust security; second, have clear accountability for any external parties; third, have a solid technical solution; and finally, paper it over as well as you can with good contracts and licenses.

C OMMUNITY

AND

F AN S ITES

One of the great things about the game industry and for the game industry is that its customers are often fans who set up websites, community sites, and other online forums. Players set up these sites on their own initiative and can have audiences of tens of thousands or more. However, many of these sites are run by amateurs and are easy prey for hackers and online criminals. Some are set up by criminals to lure players in to collect personal information and passwords or even download malware onto visitors’ computers. These sites are totally beyond the control of game companies and the threat is serious. Thirteen percent of the malware in Asia is targeted towards online games12 (key-loggers and other tools that help break into player accounts). Sometimes online sites do strange things that can create security problems. The Chinese Internet portal Sina ran an online poll about casual games, which was fine, except that there were questions in the survey that asked for player’s account names and passwords13. Improved identity systems, like World of Warcraft’s identity token or systems that use cell phones to log in, can minimize the potential risks from player errors. A lot of people have argued strongly for user education as an effective countermeasure against phishing or accidentally installing malware, but a game company can’t bank on changes in player behavior. One potential option is to include or provide free security software with a game. Another option is to certify and monitor fan sites to help them with their website security.

274

Protecting Games: A Security Handbook for Game Developers and Publishers

R EFERENCES 1. Vegetius, “Prepare for War: Latin Quote from Vegetius,” http://ancienthistory.about.com/od/warfareconflictarmor/f/PrepareforWar.htm 2. D. Becker (2004),“Inflicting Pain on Griefers,” http://news.com.com/Inflicting+pain+on+griefers/2100-1043_3-5488403.html 3. N. Robischon (2007), “Station Exchange: Year One,” http://www.gamasutra.com/features/20070207/SOE%20Station%20Exchange%20White%20Paper%201. 19.doc 4. FBI (2007), “Cracking the Code, Online IP Theft Is Not a Game,” http://www.fbi.gov/page2/feb07/iptheft020107.htm 5. B. Crecente (2005), “City of Heroes Hacked,” http://kotaku.com/gaming/city-of-heroes/city-of-heroes-hacked-144399.php 6. L. Alexander (2007), “CDC Sues MGame for Security, Tech Support Failures,” http://www.worldsinmotion.biz/2007/10/cdc_sues_mgame_for_security_te.php 7. S. Burns (2006), “Warcraft Game Makes $10m a Month in China, But Blizzard Expansion Dispute Still Not Resolved,” http://www.vnunet.com/vnunet/news/2162262/world-warcraft-makes-10m-china 8. M. McWhertor (2006), “God Hates Steam, Too,” http://kotaku.com/gaming/god/god-hates-steam-too-222329.php 9. D. Becker (2004), “Stolen ‘Halo 2’ Hits Pirate Sites,” http://news.zdnet.com/2100-3513_22-139103.html 10. B. Sinclair (2008), “Ubisoft Sues Over Assassin’s Creed Leak,” http://www.gamespot.com/news/6195570.html?sid=6195570&part=rss&subj=6195570 11. 47 U.S.C. § 230 12. M. Hines (2008), “Online Game Malware Takes Off in June,” http://securitywatch.eweek.com/exploits_and_attacks/online_game_malware_takes_off_in_june.html 13. DoNews (2008), “Sina Online Poll Asks for Game Account Passwords,” http://www.marbridgeconsulting.com/marbridgedaily/2008-09-11/article/19520/sina_online_poll_asks_ for_game_account_passwords

27

Money: Real Transactions, Real Risks by M. Eikenberry

Author’s Note: Although money can’t buy happiness, lack of money can cause your business to collapse. Handling payments and fighting financial fraud are profoundly important issues for online services, especially game companies. The lack of physical product delivery makes digitally distributed games and online game services targets for fraud. There are also serious risks associated with payment processors that many individuals, experienced only with the consumer side of the payment business, are completely unfamiliar with. I asked Marcus Eikenberry, who has lengthy experience with these types of transactions as a game code and virtual item reseller, to provide his insights into the payments process and fighting fraud. am Marcus Eikenberry and I’m a serial entrepreneur. I make a living dealing in intangible goods and services within online video games. My companies sell huge volumes of game registration codes and game time codes, as well as providing anti-fraud solutions for other sellers within these online gaming markets.

I

I started in 1997 selling virtual items within the game Ultima Online. I noticed a couple of sales of UO items on eBay and wanted to try my hand at making a sale there. I took two extra game accounts I had that were about three months old and put them up on eBay with full details of all the virtual loot that would be included on them. When I sold the accounts for a combined total of $2,400 I knew I was onto something. I thought to myself, “I could make a full-time job of this and do very well.” I have done so ever since. Now more than 10 years later, I no longer touch in-game goods when it violates a game’s terms of service. I focus on selling game codes and providing anti-fraud services for other companies. After being taken for a lot of money by scammers and thieves and not understanding how to process payments over the years, I’ve developed methods for some of the more popular payment services to greatly reduce fraud and overhead costs. 275

276

Protecting Games: A Security Handbook for Game Developers and Publishers

You will find information here that will help you improve your own payment processing and anti-fraud practices to help you to keep more of your profits in your pockets.

P AYMENT P ROCESSING Payment processing in its simplest form is getting the money your customer wants to give you for goods or services into your account. There are several types of payments. I will cover some of the ones that are more popular with video game players. In North America, credit cards are king. PayPal is also very popular. In Europe, there is a smaller percentage of people who use credit cards. In Europe, the culture in many areas is that if you are purchasing with a credit card it is because you do not have the funds to make the purchase. This may account for their lower use in Europe and why bank transfers are the preferred payment method. Moneybookers is a very popular payment method for Europe, as it supports multiple types of bank transfers as well as credit cards. Another method that is very popular across the globe is prepaid cards. These cards can provide credits into your games or subscription time. These are very popular because of their low barrier to entry for purchasing. In the US, you can walk into any Target store and find 30 or more types of prepaid game cards. In Europe, the cards can be found in many supermarkets. If you are selling services or intangible goods that are not delivered to the customer’s physical address, you will not have any seller protection in the event of a dispute. When accepting payment by credit card, you must accept the fact that you will lose 99 percent of all disputes. Credit card companies do not track digital goods delivery. Nor does it appear that they will offer any support for this in the near future. Depending on your volume of sales, you can expect to pay 1.9 to 2.4 percent, plus a transaction fee of $0.25 to $0.35 per transaction. Most credit card companies will not allow you to charge the customer directly for these fees. Additional fees can be levied on the vendor for chargebacks (Author’s Note: A chargeback is when a consumer reverses an existing credit card purchase and the vendor is responsible for returning the funds to the credit card company and, ultimately, to the consumer unless the vendor can successfully dispute the chargeback). Chargeback fees are commonly $10 per disputed charge. You can also be fined heavily if you have a high percentage of chargebacks. If you have greater than five percent fraud you may need to worry about these additional costs. The threshold will depend on the merchant service you are using. If you are planning to have higher than five percent fraud, this threshold may be one of the questions to ask when looking for a merchant account.

Chapter 27 Money: Real Transactions, Real Risks

277

Credit card companies will commonly do a credit check on you or your company before approving a merchant account. They also will have caps on transaction volumes in dollars per day, week, or month. These caps can be directly related to your personal or company income. I have known company owners who have told me horror stories about having great growth in a market only to have your merchant account held for reviews when the credit card company starts to get nervous about your volumes. For this reason, I suggest having multiple merchant accounts. Use a round robin method of cycling through the accounts with each new payment that comes in. Using a round robin method is helpful for multiple reasons. The first might be obvious: If you have four merchant accounts, the volume will be split across the four accounts. Thus you will have fewer chances of hitting your limits. The other issue is when funds get held by the payment processor. These funds are most commonly held for disputes but sometimes the entire account can be frozen if the credit card company is nervous for any reason. If you do have multiple accounts and one of them gets tied up, it will not kill your business. You will still have other accounts and will still have access to their funds. This is important because if you look in your merchant contracts you will see that they can hold your funds for far longer than you can go without them. (Author’s Note: They can hold your funds for months and you have no way to dispute the delay… or even earn interest on the funds.) I recommend starting with four different accounts from four separate payment processors. Even if you have really great credit and very high limits, I still suggest starting with at least two companies. USING PAYPAL PayPal is very popular in North America. It is also available in many European countries. PayPal accounts are funded in three different ways. The first is that one PayPal account holder can send funds to another. Those funds are held within the account. The accounts can also be credited from bank accounts and or credit cards. Fees for PayPal are 1.9 to 2.9 percent of each transaction, plus a $0.30 fee. If you are accepting funds from all over the world, there can also be a currency conversion fee of up to 1 percent on top of this. Other fees that can appear are credit card chargeback fees of $10. Other disputes that are not credit card funded do not have extra fees. Depending on your volume and your credit score, PayPal may also elect to insure your transactions against your going out of business. In most cases when you reach volumes of more than a quarter million dollars per month you will be subject to this, and PayPal will place a temporary hold that is a percentage of your daily sales.

278

Protecting Games: A Security Handbook for Game Developers and Publishers

In my dealings with PayPal, we have had a “hold” like this placed on one of our high volume accounts. The percentage that they told us they would “hold” was only 1 percent lower than our previous year’s profit percentage. I found this to be a threatening request as they stated that they were doing it to insure the “good health” of our company. I did renegotiate the percentage to something that we felt was much more acceptable. So if you get hit with this by any company, do attempt to negotiate your fees. PayPal originally started this process and a rolling hold on our funds when my credit score dropped (this was occasioned when we launched a new company and we financed part of its launch). PayPal as well as merchant account providers will check your credit every six months or so, and if your score gets too low for the volume of sales you are doing, you may be faced with one of these holds. As an additional note, my credit has returned to where it was prior to the holds, but the holds are still in place. I would hope that they would release these funds but who knows. Now that this is in place they may just keep it for the life of the account. PayPal offers a wide range of features that are good for merchants. They offer small companies easy development of payment buttons for their websites as well as automated communications with their online stores for big companies. They also have fairly good multi-user accounts where you can give access to staff without giving them full control over the account. Many other payment methods have no support for this, which means you to have to give the master login to your staff to process transactions. (Author’s Note: This kind of single login system creates serious risks of insider fraud that is difficult to detect, as there is no individual accountability for actions.) You can also sign up for the PayPal money market account, which tends to pay higher interest than most banks on the daily funds within your account (currently, the account pays up to 6 percent). For most companies there will be no reason not to participate, even if you sweep all of the funds out of your account nightly you will still earn interest. Make your funds work for you. (If you get any funds “held” on a rolling 90-day cycle, do insist that those funds be included. Because you cannot use those funds for anything else, you should demand it; I did and PayPal has included them.) PayPal offers multiple levels of account managers. As you increase in volume your account gets transferred to higher and higher levels. The highest levels will give you direct access to your account manager 24/7. To reach the highest level, you need to be doing an average of over $500,000 per month in a rolling three-month average. Lower-level accounts will be supported only during standard business hours. PayPal, in my opinion, is a very good payment method.

Chapter 27 Money: Real Transactions, Real Risks

279

USING MONEYBOOKERS Moneybookers supports many different bank transfer methods as well as accept credit cards. In Europe, Moneybookers is more popular than PayPal. The European method of bank transfers has a much lower cost than it does for us in the US. As Europeans tend to like to use bank transfers more, Moneybookers is providing a service that is needed and wanted. Moneybookers takes a different approach to fraud. They guarantee no chargebacks or reversals on any payments. There is, of course, a catch to this. If you start accepting too much fraud they will close your account. They use this “no fraud” as a big selling point. You still have to do your due diligence to screen funds coming in. Moneybookers has one item that I feel has a high risk. They do not have multiuser accounts. This requires you to give out your master login and password to any staff that needs to perform functions within the account. Moneybookers is working on allowing multiple logins and permissions levels for the future. But as of writing this, that option is not yet available. PRE-PAID CARDS/GAME CODES Pre-paid cards are becoming more and more popular. By moving to a code redemption system, you can allow others to resell your products and use their existing payment methods and infrastructure. This also allows you to let the merchant take all of the risks on whom they sell to. The complexity of implementing a code redemption system is much less than if you were to implement several payment methods. The down side to this system is that resellers will need to be able to earn their normal retail markup rate. OTHER PAYMENT METHODS Many carriers offer billing to telephones or cell phones as an option. There are several companies out there that can help with this service. This method has two major pitfalls. The first is that it is not uncommon to have carrier charge 50 percent of the transaction amount for their fee (in the US). The second is that the volume your customers can purchase via this method can be $100 or less. This is not a very profitable method unless you have very high margins. Are more payment methods better? The simple answer is yes. I have seen a direct increase in sales with several stores once I added additional payment methods. I would suggest the following methods for tracking what is needed and wanted:

280

Protecting Games: A Security Handbook for Game Developers and Publishers

Know where your customers are coming from. Identify their countries. Take your top countries and focus on their available payment methods first. Credit cards are nearly universal but you can also be leaving a lot of money on the table if you do not include other payment services. I would focus on providing at least one alternative payment method for each country to start. Track your payment gateway abandonment rates. To track abandonment, you will want to monitor when a customer brings a cart of items to checkout and then fails to make a successful purchase. If you track this by country this can be a great tool for knowing where to focus your efforts. An example of this is when I put PayPal into one of our stores and PayPal was the only option. The store did sales primarily to North America and Europe. We had a payment gateway loss for North America of 20 percent, but for Europe it was much closer to 40 percent. This would be an indication that we should look at a more preferred payment method for our European customers. You will never reach a 0 percent abandonment rate. But the closer you are, the better you are doing. Some of the more popular international games are supporting as many as 200 payment methods. If the demand is there, you may as well take advantage of it. For getting started I suggest going with companies that can offer multiple payment types. PayPal and Moneybookers both offer a wide range of options. As you get more sophisticated with your payment acceptance, you can move to work directly with more region-specific methods. You will save on your processing charges but you will also increase complexity.

I NSIDE

THE

P AYMENT P ROCESS : P AY P AL

Let’s talk a little bit about how PayPal works. It works by funding orders through PayPal funds (funds in the actual PayPal account), which are typically given from a bank account, credit card, or having received money from someone else through a transfer. Another method is e-check. This is when money is funded by an attached bank account only. E-checks can bounce. Do not trust them until they have cleared. Once they have cleared, you can still run the chance of a bank reversal, but this doesn’t often happen. Then there are credit cards funded by PayPal accounts. Whether or not they have funds in their account, the credit card allows them to do instant payments. You want the instant payments because the customer wants instant satisfaction. With payments coming from PayPal funds and credit cards (not e-checks), you’ll find that about 80 percent of the orders are good after 24 hours. In the first 24 hours, there is an 80 percent chance that the payment you received is good.

Chapter 27 Money: Real Transactions, Real Risks

281

If you get to 7 or 8 days or more, there is about a 90 percent chance that the payment is good. When you hit 11 days, you’re at a 98 percent chance of that payment being good. At 30 days it’s approximately 99.8 percent. These figures are based on statistics with our payment acceptance and how long before the payment gets held. PayPal will hold payments for several reasons. One is that they watch for funds being shifted around from account to account to account, all by the same person. They will monitor these actions. Within a few minutes of the payment coming in, they will place a temporary hold for investigation. If you are not planning on talking to your customer, you may want to give them a 30-minute delivery expectation. Wait about 25 minutes and then send the product. This investigation will trip internal checks at PayPal within a few minutes of the payment being sent. By delaying the delivery of the first order by 25 minutes, you can reduce your fraud by 0.5 percent or so. This may not sound important, but we did $6,000,000 in sales in one of our stores last year and that short delay saved us $30,000 in potential profit (profit margins are often lean for resellers). I have talked with PayPal many times about why they flag a payment and hold it a minute or two after it’s done. If they are that fast, why can’t they prevent the payment being sent to us in the first place? PayPal can be frustrating to work with. You just have to know how to work with them. They will hold funds for many reasons, even if it’s just general suspicion. I’ve seen this many times. There’s nothing you can do about it other than build it into your costs that they will do this from time to time. I usually refund the order if I haven’t delivered the product. If I have delivered product, I may place a few notes in the order so they know the details I have of the order. This may provide them with the information they need to release the order if it is legit. I always wonder what happens to the funds that PayPal holds. Do they give those funds back to the customer? Do they keep them? I certainly don’t get it. I’ve talked with people some time later and they said their money wasn’t refunded. PayPal states that the funds will always go to the buyer or seller after any hold. They also state that they are audited and are required to account for all funds. It makes me wonder if the buyer is being honest with us in these situations or if they have misunderstandings about how the system works. I’m betting that, most of the time, the customer funded their payment with a credit card and they do not have access to online statement. Thirty days later they will receive their statement and see that a credit was in fact given back to them. Also with PayPal, they will hold in situations when the customer has no funds in their account to send in the first place. When an order is funded by a credit card, the credit card company does a hold on the payment to PayPal. It’s frustrating how this works. PayPal will first send you an email saying they are disputing this on your behalf; please provide information. When they dispute it, they also charge $10.

282

Protecting Games: A Security Handbook for Game Developers and Publishers

This $10 fee is in many cases non-negotiable. Although, I do such a high volume I have negotiated that they not charge us this fee because we have told them we will never dispute a credit card chargeback. So, we do not require this service from them for disputing charges on our behalf. The credit card chargebacks typically do not appear for at least seven days. This process differs in that it requires forms to be filled out and most of them are not electronic. The last one I dealt with was from a furniture company. They called me two weeks after the order and told me that two months prior to my purchase they had gone into bankruptcy. Why wasn’t I told this when I made the purchase? They said I was not getting the funds back. I had to do a chargeback if I wanted my funds returned. I had to sign documents saying that I attest this was true, had to fill out other forms, and copy receipts. It was a lot of work; it took me several days to organize and gather the paperwork and then fax it all in. These holds are not disputable. You cannot fight a credit card chargeback through PayPal. I have never won that battle unless the customer was making a chargeback on something else and they did this one by mistake. I have had them reverse a couple of times in that instance, but it is not worth your time even if it is a thousand dollar chargeback. The odds of you getting one back are very low. You will spend more than a thousand dollars worth of time to get that one chargeback released. Don’t even worry about it. If you have a lot of profit on certain items, then you may want to study where your highest profits are. It can sometimes be more profitable to allow a low amount of fraud, though, as it will make it easier for your honest customers to make purchases. With this information you can get as hard-core with anti-fraud as you want; or just use a few of these items to enhance your current anti-fraud policies.

A NTI -F RAUD Why are anti-fraud measures so important? My experience is that about five percent of first-time customers are using a stolen PayPal account, credit card, or another online payment method (whereby they’re not the legitimate owner of the account). Typically, they have acquired it from phishing. Thus, if you blindly accept payment from just any PayPal or credit card account, you’ll end up with at least five percent fraud. If you sell virtual items that can be (licitly or illicitly) resold, they will make multiple purchases. When they make one successful purchase, they will be back again to make more purchases and, if left unchecked, you’ll go up to about an 18 percent loss rate from their numerous purchases before they get shut down.

Chapter 27 Money: Real Transactions, Real Risks

283

With products that are not re-sellable, such as registration keys or add-ons, you can still occasionally get fraud. Because I have those registrations “call home” (they send a request to our servers to verify they are active in good standing), as soon as the payment is reversed or there is an issue, I block their registration. The next time they try to log in to that application, it will become unregistered again. After that, I use one of two methods. First, I allow them to purchase again at regular price and hope that it doesn’t get reversed. This is an acceptable method. The other method, which I prefer, is to charge a penalty price to re-register the product. If they reverse the payment but come back again and want to re-register the product, I increase the price substantially, typically up to three to five times the original purchase price. The way I identify those who attempt multiple purchases is by having the registrations tied to the actual account names for the games or by another way of identifying which computer or person is making the purchase. I find this to be a good deterrent. If they know that they can only connect to a specific account with the purchase, they typically don’t reverse charges, lowering fraud a bit. I have found this approach has about a 2.5 percent fraud rate. For most products, this would be acceptable. For those who come whining to us that they got their registration key banned, we’ll sell them the banned version for a greater price. Because five percent of first-time customers are attempting a fraudulent payment, the key is to catch them immediately. If you don’t, they start running rampant. I figured this out the hard way. Several years ago I was running an online store. I sold game codes and other items such as currency in some games (it was legal, not the grey-market terms-of-service violation items). This store would do automatic delivery of the codes or currency. I had a system in place that checked if their IP address, PayPal account, or email address had been fraudulent in the past. If it passed those checks, the system would allow the purchase to go through. However, this limited the amount of purchases a person could make. I restricted purchases to five in a 24-hour period. If any fraud appeared, I would lose five purchases. These losses would be pretty limited, or so I thought. In this store there was $18,000.00 worth of stock. One morning I woke up, checked the computer, and saw that I sold out of everything! At first I was really happy. Then I was really scared. I realized that someplace really popular had linked to our site or something had happened and someone had found a way to exploit our systems. In fact, the latter was the case. Someone figured out that only so many purchases per day were allowed. They bought a domain with a stolen credit card and immediately purchased

284

Protecting Games: A Security Handbook for Game Developers and Publishers

email hosting. They then set up email addresses on this hosting account. They would make five purchases with the credit card on a PayPal account then our system would cut them off. Then they create a new email address and make five more purchases. They did this until the store was empty. They managed to do this within a couple of hours. That’s when I decided that I had to do something. I wanted to have an automated solution. The best kinds of sales are the ones that are replicated—those that require no more effort. The reality is that this just doesn’t work for items that have resale value. A human element is required. That human element can come in several different forms. When humans do anti-fraud they can review orders and check on suspicious purchases. They assess orders looking for patterns. You can look at their IP addresses and for large amounts of fraud from certain ISPs. You may have a human review a transaction if it’s a high dollar order or just review all of the transactions right off the bat. Thieves are always looking for a new loophole to get through. So there needs to be someone always watching the transactions. You may want to consider automation for performing searches of email addresses or for searching the names of the people to identify those who are going to steal from you. This may sound really crazy, but it’s my belief that some criminals want to be caught. A prime example is this story: I had an email address that read imatheif @******.com. He placed an order and our staff did not notice the email address. When they approved the order, the order went out just fine and a couple days later I get a hold on the funds for that. Looking it over, I realized this person was telling us they were going to steal from us—they told us so in their email address. We have since started tracking this kind of information. There are many different payments that should be held. If they have the words such as thief, steal, cheat, or hack—these are some examples where you can have your system automatically hold those orders for review. In fact, you may just want to turn them down. I have found that their email addresses actually told us what they were going to do. (Like imathief. What does a thief do? He steals.) Half of these customers did actually reverse charges. I tested that by allowing several such orders through and waiting to see if charges were reversed. Customers can give you their intentions. That’s one of the ways that can be automated. Other ways cannot be automated, like your interactions with customers. Sometimes they tell you things. Like I said, thieves want to be caught. They will give you hints. It’s a game and a thrill to them.

Chapter 27 Money: Real Transactions, Real Risks

285

In fact, when you identify a thief, you can even call to speak with some of them and they will actually tell you what they’ve been doing. They will explain what has been successful and what hasn’t. That may sound crazy but that’s been my experience. Some thieves like to brag about their exploits, about the people they’ve tricked or stolen from. You can learn a lot from that. We’ve seen payments that were going to the XXX game company (I’ll just call them XXX so as not to embarrass them). Although we were not involved in their payment processing on this, I realized that in one of the markets (where I was selling game codes), a lot of game codes were appearing on the market for sale at a discounted price. I knew the game codes were being sold for below cost. I was sure of that because I was probably one of their highest volume resellers of these codes and the prices they were selling them for was just incredible. I decided to figure out what was going on. I contacted some of these sellers who were selling the cheap codes. I bought some of them and, low and behold, they did work. I was halfway expecting that they wouldn’t work; that the codes would have been used or they would just be fake. They, in fact, did work. When I spoke with them and listened to them brag, they told me they were Russian carders. A Russian carder is someone who phishes credit cards or gathers them by some other means. They use those credit cards to make purchases of other items such as game codes. They then resell those game codes. They have, in effect, laundered these stolen funds. They were selling the game codes for 50 cents on the dollar and were making a lot of money. This turned out to be huge for XXX. I am not sure of the total losses, but it took me forever to get XXX’s attention on this. I was adamant about getting XXX to do something about this because it was affecting our sales of their codes (because the market was flooded with these cheap codes). When they finally did something about it, they got the FBI involved. Since the thieves were in Russia, there was really not much that could be done. They got away with it. Nothing ever happened to them. These are the exact kind of organized criminals you need to weed out immediately. If not because of the costs of fraud, then because U.S. Homeland Security will review transactions to make sure terrorists are not laundering money through your company. All of the IP addresses of the carders at that point were coming from Russia so we had flags on all Russian orders. They all had to be reviewed because of the country’s high fraud rate. I’m going to tell you a story about a guy who placed an order with us. Keep in mind that I know where our orders originate.

286

Protecting Games: A Security Handbook for Game Developers and Publishers

The deal on this is that even though we know what city and state they’re from, we ask them anyway when we confirm purchases by phone. We can see this particular customer is from Nashville, TN. He had a non-regional accent that isn’t necessarily a red flag but can be sometimes. I asked him what city and state he was from. His answer: “Nash-villey, Tennasis.” Right then we knew that there was a huge problem and we say, “Thank you, we’re sorry but we’re not going to be able to process your order.” You’ll receive a refund from us shortly and an email.” Somebody who cannot pronounce his or her own city and state is typically not from that area. Other examples: People from the East coast say “Orygon,” people from the West coast say “Oregun.” Then there is “Illinoy” (correct), and other people say “Illinoise.” There are different ways to gauge whether or not someone is from a region by asking them where they’re from. That’s pretty easy if you know how words are pronounced in a local area. Don’t let them use the excuse that they just moved to the area.

I NTEGRATION

FOR

A UTOMATION

The hardest thing about all of these payment methods is the integration into your systems. All of these systems offer integration but this can be very complex. I recently worked on integrating Moneybookers into one of our stores. I would have thought it would take just a couple of weeks to get set up, but it took several months. Each service has different requirements for integration. This is an area where you will want to have a highly skilled technical person doing this work. If you take the easy route and just get it working you will be open to exploits. I recently found this out the hard way—we took substantial losses from a hacker who was able to fake our system into thinking that every item for sale was just one cent. We found that we had left one check in our system unused and they exploited this fact. Taking the time and resources to do this right the first time is worth it. Our losses had we not caught it right away would have been higher than the costs of integration. We were lucky, but luck should not have anything to do with it. We should have done it properly the first time.

Chapter 27 Money: Real Transactions, Real Risks

287

P AYMENT F RAUD

by S. Davis Credit card fraud1 is a massive problem. The FBI estimated that credit cards were responsible for the majority of the $315 billion in U.S. financial fraud losses in 2005 while French credit card losses were $319 million2. In the UK, “card-not-present” fraud was £212.6 million (almost $350 million) in 2006. Although consumers may see these losses hidden as part of their interest rates and fees, the credit card companies and payment processors have successfully passed most of the risks to merchants. The burden is on you to protect your revenues and the health of your business.

R EFERENCES 1. Wikipedia (2008), “Credit Card Fraud,” http://en.wikipedia.org/wiki/Credit_card_fraud 2. J. Conlin (2007), “Credit Card Fraud Keeps Growing on the Net,” http://www.iht.com/articles/2007/05/11/news/mcredit.php

28

More Money: Security, Technical, and Legal Issues

here is always more to say about money. The PCI-DSS (Payment Card Industry Data Security Standard) initiative by the credit card industry has been put in place to reduce fraud at merchants. Unfortunately, PCI-DSS compliance is not the same as “security,” as the Hannaford Brothers grocery chain found when 4.2 million customer credit cards were compromised even though the company’s operations had been certified PCI-DSS compliant1. PCI-DSS compliance is an important issue, however, because most online services are likely to need certification in order to be allowed to accept payments.

T

Fraud is one of those things you really have to keep an eye on. As we were celebrating revenues in Q1, it was being tainted by fraud. We didn’t know what acceptable levels were. And the detection is delayed. Revenue is scalable, but so is fraud. Revenue clouds your ability to identify and fight fraud. You see money coming in and you don’t want to tighten your grip. And fraud leads to fines, incrementally and if you hit a certain level they can hit you with a big one. Increased fraud leads to expulsion from credit card processing. Some companies have been dealt six-digit fines. If you have over a 1 percent chargeback rate, you get hit with a fine. … You lose the revenue of the purchase and an additional [chargeback] fine. Merchants can fight the chargebacks, but it’s difficult and costs a lot of manpower. We learned you have to stop fraud before it happens and identify future chargebacks. You need a firm user policy and education. …We had users selling their time for existing fraudsters to level up characters. And that came back to hit us. … We set spending limits and educated the user base. We created a fraud [team] and joined the Platinum Members List in the Merchants Business Council. Chargebacks have been drastically decreased and controlled. —Min Kim, Director of Operations, Nexon America 288

Chapter 28 More Money: Security, Technical, and Legal Issues

289

Increasingly, online services are portals to a wide range of entertainment services. Player accounts allow players to purchase everything from virtual items to real goods. This makes these accounts targets for fraud by both insiders and hackers. Finally, even though virtual currencies have become a key part of the growth of the online game industry, there are some real risks. In addition to gold farming, the ability to convert some of these synthetic currencies back into official currencies raises the potential for their use for money laundering.

PCI-DSS

AND

S ECURITY

The rise of ecommerce and explosion of corporate IT and networking has created a huge problem for the payments industry. Poor internal security systems and procedures created huge opportunities for fraud. TJX Companies, owners of a number of major retailers including T.J. Maxx and Marshalls, compromised 45 million credit card numbers during a multi-year security breach2. This compromise cost the company well over $100 million in losses. The credit card industry established the PCI-DSS standard and certification3 to help protect credit card data, because these large-scale compromises were costly for the payments industry as well. As seen with the Hannaford Brothers case, PCI-DSS compliance is not the same as being secure. It is a minimum standard and may affect your transaction fees and terms as a merchant. Game companies and other online service providers should thoroughly investigate their options for practices that can directly reduce transaction costs as a matter of good business (such as joining Platinum Members List in the Merchants Business Council). Good system design should make it possible to move beyond PCI-DSS and reduce your practical risks. Online service providers should also investigate insurance and even consider not taking payments directly by working with third parties to further reduce potential threats.

A CCOUNT S ECURITY , V IRTUAL I TEMS ,

AND

R EAL M ONEY

Online game accounts are becoming much more than a way to pay a monthly subscription. Players can purchase downloadable content (DLC) for existing games, purchase additional games, buy virtual items, and will soon, no doubt, be able to purchase physical items. Microsoft’s Xbox Live is a pioneer in turning a game service into an all-encompassing entertainment portal, but Apple’s iTunes and App Store as well as Valve Software’s Steam and Amazon’s growing suite of Amazon

290

Protecting Games: A Security Handbook for Game Developers and Publishers

Web Services, among others, are joining in. In China, Tencent’s Q-coins have grown in popularity to the point where the Chinese government considered them a threat to the nation’s currency4. These accounts are rapidly becoming much more than a subscription payment method. As these capabilities of online game services grow, they will become more “interesting” targets for thieves. There are even greater risks if the virtual currencies that many of these services use can be converted back into “real” money. Convertible currencies raise the risk that game-like incentives and rewards can be construed as gambling. Also, the ability to “cash out” makes the currency a tempting target for internal fraud and outside hackers. Until a weakness in the QuickTime player was patched, Linden Lab’s Second Life was vulnerable to a hack that allowed thieves to transfer virtual currency from one player’s account to another player’s account without their consent5. At NetEase, a company employee identified 30 accounts and sent in faxes of counterfeit identity cards claiming that he had “lost his password” that transferred the accounts to his control. He then proceeded to loot the accounts6. The amount involved was not large by U.S. standards, around 4000 Yuan (around $500), but this is equivalent to several months’ wages in China. These types of services are vulnerable at three key points: the game or other systems that can reward players, payment systems that move between real and virtual currencies, and customer service systems. Customer service applications are a critical security target, because they are the means for handling any sort of problem that customers have. Potentially, they are an easy way to compromise user information, steal accounts, add unauthorized credits or bonuses, or carry out actual transactions for real money.

M ONEY L AUNDERING

AND

I LLEGAL P AYMENTS

Rampant payment fraud is a nightmare for any online business and an increasingly important issue for online games. One alternate payment processor, Flooz, had created a virtual currency for micro-transactions (similar to that used in many games). Unfortunately, Russian organized crime groups used Flooz and stolen credit cards to launder funds7. This resulted in an FBI investigation. [T]he rate of fraudulent purchases spiked from less than one-twentieth of one percent to 19 percent of consumer credit card transactions in June and July 2001. Chase Merchant Services, which processed credit card transactions for the company, then imposed tens of thousands of dollars per month in fines

Chapter 28 More Money: Security, Technical, and Legal Issues

291

for the excessive fraud rate. Chase also attempted to hold $2 million in company credit card deposits to cover the fraudulent transactions. Credit card fraud was already a major concern for online shoppers, and digital currencies were attractive to fraudsters due to its instant delivery and potential anonymity. Eventually, Flooz was shut down. Convertible currencies can pose a risk, if there is enough value that can be transferred. There has been speculation about criminals or terrorists using online games as a way to launder money, but typically the amount of value that can be moved easily in these games is too small to be of interest. This is yet another reason that companies should be careful with their transaction systems. Online poker, skill games, sports wagering, and pari-mutuel wagering do have the potential to be used for money laundering, however, because of the larger amounts of money involved. Criminals are using online wagering services for money laundering with wagers of 100,000 Euros on third-string Romanian soccer matches or even a Czech women’s league game. There are apparently around 15,000 online wagering sites with only 2,000 being legitimate and together they handle around $23.6 billion in wagers a year8. Internet sports wagering also is threatening the integrity of many traditional sports. Several suspicious matches at Wimbledon and elsewhere have led to investigations9. Perhaps unsurprisingly, the ban on Internet gambling in the US has led to criminal innovations. A payment processor in Utah miscoded credit card transactions to allow them to be used for online gambling; see10 and11. In Korea, illegal online gambling has grown with the rise “cyber-money dealers” who handle the conversion between virtual currencies and hard cash12. These types of “covert payment channels” can be used for other criminal applications. Gift cards, because they are not considered “real currency,” have been used by criminals for payments for drug deals and money laundering13. Gift cards are compact, flexible, and do not have to be reported when crossing borders. Crooks don’t need great graphics or immersive worlds to create real problems for individuals, governments, and the online game industry.

M ONEY L AUNDERING : L EGAL I SSUES Law enforcement throughout the world is well aware that money laundering is not limited to money transfers between typical banks or other financial institutions. They know that games, especially online games, have increasingly become the vehicle of choice of many looking for unique ways to transfer money “under the radar.”

292

Protecting Games: A Security Handbook for Game Developers and Publishers

Those that take advantage of a game for the purpose of laundering money are often crafty, and a game operator could unsuspectingly find itself in the crosshairs of an investigation or, worse yet, a prosecution. The unsupervised electronic funds transfers inherent in online gambling, for example, are exploited by criminal interests to launder large amounts of money14. It is an issue that cannot be ignored. First, know what money laundering is; then, know how to address potential issues when you discover them. Money laundering is a process by which a person takes money, potentially illegally gained cash, and then transfers the money, perhaps distributing it among others or back to himself, with the goal of keeping any governmental body from finding out the source of the funds. In this manner, “dirty” (questionable) money goes through a “laundering” process to become “clean” (deceptively lawful) because the new source of the money is not in doubt and the path of where it came from is intentionally untraceable. Any process that moves cash without asking a lot of questions about the money (and does not have governmental reporting obligations) will be a candidate for a money launderer. If a person uses a bank or financial institution to transfer money, the bank or financial institution will have a record of the transaction, and is likely required to report the transfer to the government. In the United States, for example, cash transactions and deposits of more than a certain dollar amount are required to be reported as “significant cash transactions” to the Financial Crimes Enforcement Network (FinCEN), along with any other suspicious financial activity that is identified in “suspicious activity reports.” Other jurisdictions have similar requirements that obligate financial services employees and firms to report suspicious activity to the authorities. When suspicious activity is discovered by authorities through FinCEN, or some other means, most countries have broadly written laws at hand to prosecute those who launder money, as well as those who aid and abet the launderers. In the US, law enforcement principally relies on a law called the “Illegal Money Transmitting Business Act of 1992,”15 which makes it a crime to “conduct, control, manage, supervise, direct, or own all or part of a business, knowing the business is an illegal money transmitting business”16. This law covers the transfer of money by “all means,” which includes the Internet and any other online service such as a game, social network, or virtual world17. The scope of this law gives prosecutors the tool they need to go after each person in even the most creative money laundering scheme. Each state in the US also has the capability to investigate and prosecute crimes within their boundaries. If consideration (such as money) is an element of the game, the game operator will have to be well aware of potential issues relating to money laundering. Money laundering can also occur in some other manner, such as sales made with virtual and actual currency. Issues will occur that the game operator truly has no knowledge of, and that may be a defense. But prosecutors will often have suspicions about what

Chapter 28 More Money: Security, Technical, and Legal Issues

293

the game operator knew and when the game operator knew it based on their investigation. If you have the slightest suspicion that something illegal is occurring, contact law enforcement. You may consider contacting legal counsel first, but do not delay. Assume you will encounter some sort of incident and have practices in place to quickly respond to work with law enforcement. You do not want your business shut down like Flooz.

R EFERENCES 1. R. Mogull (2008), “Picking Apart the Hannaford Breach: What Might Have Happened,” http://securosis.com/2008/03/18/picking-apart-the-hannaford-breach-what-might-have-happened/ 2. J. Vijayan (2007), ”TJX Offers Settlement in Wake of Massive Data Breach,” http://www.networkworld.com/news/2007/092407-tjx-offers-settlement-in-wake.html 3. PCI Security Standards Council (2008), “About the PCI Data Security Standard (PCI DSS),” https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml 4. Wang X. and Wang S. (2006), “Virtual Money Poses a Real Threat,” http://news.xinhuanet.com/english/2006-12/26/content_5531905.htm 5. D. Terdiman (2007), “Report: Hackers Say They Can Steal ‘Second Life’ Currency,” http://news.cnet.com/8301-13772_3-9827500-52.html?tag=tb 6. China View (2006), “More Attention Paid to Virtual Property Protection,” http://news3.xinhuanet.com/english/2006-04/03/content_4377645.htm 7. D. Cotriss (2008), “Where Are They Now: Flooz,” http://www.thestandard.com/news/2008/07/21/where-are-they-now-flooz?page=0%2C0 8. F. Chaptal (2008), “Sports Credibility Caught in Tangled Web of Gambling,” http://www.thestandard.com.hk/news_detail.asp?we_cat=9&art_id=66491&sid=19097230&con_type =1&d_str=20080529&fc=2 9. J. Calvert, B. Flatman, N. Fleming (2008), “Wimbledon Fears Match-Fixing Scandal in Massive Betting Scam,” http://www.timesonline.co.uk/tol/sport/tennis/article4187780.ece 10. KUTV (2007), “Mob 3.0: Covert Channels in Online Gambling in the US and the Expansion of Organized Crime,” http://www.playnoevil.com/serendipity/index.php?/archives/1261-Mob-3.0-CovertChannels-in-Online-Gambling-in-the-US-and-the-Expansion-of-Organized-Crime.html (original article at KUTV no longer available) 11. B. Hansen (2007), “BetonSports—Again?—and BetUs Indicted in Latest DOJ Bust,” http://www.theregister.co.uk/2007/05/12/betonsports_doj_betus_indicted/ 12. M. Ha (2008), “Online Gambling Sites Mushrooming,” http://www.koreatimes.co.kr/www/news/nation/2008/06/117_25599.html 13. D. Birch (2007), “Moral Panic or Genuine Worry?,” http://digitaldebateblogs.typepad.com/digital_money/2007/01/moral_panic_or_.html 14. S. Coates (2006), “Online Casinos ‘Used to Launder Cash’,” http://www.timesonline.co.uk/tol/news/politics/article620834.ece 15. “Illegal Money Transmitting Business Act,” Pub. L. No. 102-760, § 1512(a) (1992), codified at 18 U.S.C. § 1960 16. 18 U.S.C. § 1960(a); also refer to 31 U.S.C. § 5330 17. 18 U.S.C. § 1960(b)(2)

29

Identity, Anonymity, and Privacy

dentity is a severe problem for almost all online services, including games. Games can operate as anonymous services, but usually identity becomes important at some point. The U.S. online game industry seems to be moving towards an environment where identity will tend to be very weak. Although credit and debit cards provide reasonable identity information, prepaid cards (see Chapters 27 and 28) are rapidly becoming the preferred payment method and they are naturally anonymous (to the game company).

I

Other countries have a very different view of online identity. Both China1 and Korea2 are moving towards requiring registration for many online services via some form of national identity number. It is likely that this approach will be adopted in many countries. Korea has gone so far as to create a separate online identity number for its citizens3. The first problem that any identity system faces is how to register users. The “registration problem” does not get nearly the attention it deserves. The biggest challenge is assigning an actual person to some sort of number or token or collecting a biometric signature. Once registration is completed, the operation of an identity service is fairly straightforward. (As almost everyone knows, it is much more difficult to get a driver’s license than to use one to verify your identity and age.) Age verification is a particularly thorny aspect of the identity problem. In the US, the only place where there is a legally acceptable definition for online age verification is to identify younger children under COPPA4. Another area where there has been increased interest in age and identify verification is the development of usage controls to address public policy concerns about game addiction. Whether game addiction is an actual problem or not, game companies need to address public perceptions of the issue. Compromise of user information and identity theft is a problem that has been gaining increasing public awareness over the past several years. In the US, California’s Data Disclosure law has been critical in raising awareness as to how

294

Chapter 29 Identity, Anonymity, and Privacy

295

often and how much personal information is compromised5. Korea has gone one step further with substantial civil penalties being assessed when user data is lost— as much as $100 per person6. There are legal requirements that any online service needs to meet in order to collect and retain user information. However, the US has some of the weakest privacy protections in the world. Most other countries require notably stronger protection for individuals’ information. Online businesses that are considering international markets need to be particularly sensitive to these issues, because acceptable practices in the US are not permitted elsewhere. Identity has an important internal role to play in online services. Identity management systems need to collect and retain sensitive user information. They also need to handle login, account recovery, compromise management, and other issues. Identity is particularly important for game companies that are concerned about player accountability.

T HE S TATE

OF

I DENTITY

AND

A NONYMITY

Identity is probably one of the most important problems of the 21st century. Although businesses and governments have always collected data on individuals, until the explosion of computing power and networking, this sensitive data sat relatively safely in file cabinets spread all over the world. Today, this multitude of identity records can be accessed and linked together to provide more information about ourselves than any of us would really care to share. Online services make it trivial to track user actions in great detail. At the same time, it is almost trivial to steal an identity. Stolen identity information, including name, social security number, and address, can be purchased for as little as $2 per identity, whereas a credit card name and number can be had for 40 cents7. These are for American identities; European identities go for more. There has been no real growth in identity security and the need for digital identity or any serious debate of the issues as a matter of public or business policy. Sadly, there has been depressingly little discussion of the implications of the pervasive access to all of our identity information and the overall lack of security of online identity. For a business, in addition to the growing requirements for data that must be retained to meet legal and regulatory requirements, there are also legal risks from data disclosure. There are other challenges—hate speech and harassment, obscenity, liability and government access, parental controls, and community standards and jurisdictional issues—all of which have an identity component. One strategy may be to move an online service to an offshore jurisdiction, which has a more amenable legal environment to your specific business. This may

296

Protecting Games: A Security Handbook for Game Developers and Publishers

appear to increase operational costs, but could be a powerful tool to reduce the threat of litigation (Note: This will certainly not solve all problems as the online gambling industry has found with the UIGEA. One firm, Party Poker, lost 90 percent of its poker revenues due to this law which applies to companies outside of the US 8.) Anonymity is an interesting issue for online services. On one hand, anything that reduces barriers to entry increases participation by potential customers. On the other hand, anonymity seems to encourage bad behavior. Many people see anonymity as the right to act with impunity. For games, strong identity helps fight cheaters and griefers by making them accountable for their actions and it helps with piracy by making it difficult to use pirated games online. One real challenge for most identity systems is that they are not designed with malicious individuals in mind. Almost all the systems are built on the implicit assumption that the individuals using the system actually want their identity to work properly and be secure. When this assumption is incorrect, as it is when criminals and even minor miscreants in games are involved, the security of the systems often comes crashing down. Digital signatures and public key infrastructures just don’t work if a private key has been compromised or the user is willing to lie during registration or share or steal a key. The best available approaches build on positive identity relationships such as existing relationships with customers, security tokens, some payment systems, or active incentives that reward accurate identity. Game developers and operators need to assume that their identity system is constantly under attack and that some of their users are always trying to defraud their online service. Until recently, Xbox Live players who had been banned could use promotional cards that provided minutes and pre-paid cards to set up new accounts and get back into the system9. Games should explore building highly specific identity systems that take advantage of their unique service offerings. Fan clubs, loyalty programs, incentive programs, and anything else that rewards honest identity is very valuable. The larger and richer the identity system and online service, the more effective it is. This is one of the real advantages of services like Valve Software’s Steam. The more they add to the service, the more costly it is for a player to “defect” and cheat, pirate, or otherwise damage the game ecosystem.

T HE R EGISTRATION P ROBLEM

AND

I DENTITY M ANAGEMENT S YSTEMS

Identity is a profoundly important problem. The biggest problem for identity systems is identity itself: knowing that who you are talking to is who you think it is. If you look at many discussions about identity, they completely ignore this most essential issue. There are three main components of an identity system:

Chapter 29 Identity, Anonymity, and Privacy

297

Registration and Association: Linking the Person to an “Identity”—This consists of both initial registration process and the real-time login or access control system for some sort of identity-based session. Transport: Communicating an Identity (over a Network)—This is usually implemented via cryptography, but the transport service often needs to address identifying the people and the application and platform that they are using to contact each other. Policy: Linking Identity to a Specific Business Problem—Identity is not an end, it is a means to solving some problem. An identity system policy captures information about the individuals and what they are allowed to do based on who they are, their role, or other criteria. An unfortunate habit in the IT security industry is to define policies for systems that may, or may not, reflect the actual business needs of their clients: organizations own policies, not technologists. There are several critical supporting issues that need to be addressed as part of a complete identity system: Compromise Recovery—What do you do when things go wrong? This issue is critical, yet is rarely addressed. What happens if the identity service’s data is compromised (look at the seemingly endless data disclosures in the news if you think this issue isn’t important)? What if the user compromises her identity information? How does the system recover? For game systems, it is also important to address the scenario where a user intentionally compromises her own identity data. I would argue this is the key failing of biometric systems— they have no meaningful recovery mechanism when biometric data is lost either through compromise of the biometric database or subversion of a biometric reader. Initial Registration—How do you enroll a person or system in your identity service? This has been the killer for public key infrastructures (the big security fad of the 1990s) before biometrics (the current security fad that is winding down). Initial registration is often costly. In some sense, the Postal Service and its private competitors are in the best position to handle this function, because they periodically get physical signatures from individuals face-to-face. Acceptability—What is legally good enough? Although there are many cases where there is no need for identity to meet a legal standard, it is an important and sometimes critical feature of many identity systems. It can also be a trap. There are a number of age verification services that provide some age and identity information, but none of them, to date, can accept or transfer liability from the actual service provider (except for COPPA). This is also important when considering the growing identity theft problem.

298

Protecting Games: A Security Handbook for Game Developers and Publishers

What are the de facto identity systems today? Usernames and passwords are used both for association and registration.* Email addresses are used for registration.* Credit card numbers with other identity information such as names and addresses are used for registration and for association when making a payment. Essentially, identity systems can tap existing payment processing and authorization services for a fairly strong sense of identity.* National identity numbers are used in Korea and China for identification. The problem with these systems is that it is possible to generate an “authentic” identity number, because the algorithms that each country uses are known10. In some cases, these numbers encode personal information such as gender, age, and location of birth, making the identity numbers tools for identity theft themselves. In the US, the use, until recently, of social security numbers by a wide range of entities for identification caused similar problems. Because these numbers are used to access a number of online services, compromises of the databases for these sites have resulted in millions of identification numbers being disclosed. Privacy advocates in Korea have raised concerns with requiring the use of any sort of national ID. They are concerned about the rise in cybercrime from easier identity theft and about the loss of privacy11.* The use of online identity numbers. Korea has recently created a separate number, called an i-PIN, for online identity12. It is not correlated with the country’s national identity number. This system doesn’t seem to address a couple of important issues: Because the number can be changed, it would make a lot of sense to support a global “compromise” notification system so that sites and services that use the ID number could cancel it and replace it with the new number. Also, although it is important to tie an identity to a specific individual, there are probably a number of benefits to allowing a person to have multiple ID numbers for improved privacy and speedier compromise recovery.*

All of these systems (the ones marked with an asterisk) are vulnerable to compromise. They are dangerous to enter in a public computer and can also be stolen via keyboard loggers and phishing scams. Except for passwords, these identity systems do not recover easily from compromises. Even issuing a new number does not necessarily or promptly invalidate a compromised identity number.

Chapter 29 Identity, Anonymity, and Privacy

299

Faxed Identity Card or Drivers License—This approach is sometimes used by services for adults and seems to be fairly widely accepted. People are not particularly likely to lose control of their identity cards and there are existing legal sanctions for misusing, altering, or forging official documents. The “fake ID” problem that plagues control of underage alcohol purchases does show the limits of this approach. Also, this system is relatively costly and slow and, technically, as vulnerable to database compromises as identity numbers. Registered Mail/Signature Required Delivery—Postal offices and other delivery services typically provide some mechanism for requiring a signature to accept an item. This form of identification and authentication is fairly effective, if slow and somewhat costly. It can wind up having little marginal cost if there is an actual physical delivery to a customer. It also has an advantage of fairly solid legal status. Security Tokens—There are a number of time-based and challenge/response security tokens used for identification and authentication. They do not address the initial registration problem, but are useful for day-to-day authentication. Blizzard managed to bring the price of an authentication token down to $6.50, which should make it fairly widely acceptable13. Interestingly, Blizzard is the real beneficiary of the token, but it has managed to pass the cost of the device on to its customers. Mobile Phone Messaging—Asian games are increasingly using mobile phonebased authentication. Because mobile phone numbers are personal items, they may have available identity information for registration purposes. Players are presented with a challenge code that they then must send to a specified number (usually via SMS text messaging) to log in to the service. Biometrics—Some organizations have considered biometric authentication for remote access. The problem is that the biometric signature is vulnerable to compromise as regular computers cannot be considered trustworthy devices. Keyboard loggers or other malware could easily capture the biometric information for use by a malicious user. Public Key Credentials—This is another system that looks better on paper than in the field. Unless there is a physically secure device that holds the private key, it is no better than a username and password. Challenge/Response Card—NHN in Korea came up with a fairly clever idea of using a paper card with a set of challenge/response number pairs (that is, Challenge: 435, Response: 813) listed on the card. The challenge value is provided by the server and a response given by the player14. This system has most of the benefits of a security token at a fraction of the cost.

300

Protecting Games: A Security Handbook for Game Developers and Publishers

There are other identity strategies available. The adult social network, Naughty America, provided an online background-checking service for its customers to help find out if potential partners have a criminal record15. Shanda Interactive’s King of the World MMO requires players who wish to play female characters to “prove their biological sex via webcam”16! There are also identity systems such as web cookies and computer fingerprinting. These are better at identifying platforms than their users (this difference is something that U.S. online service providers tend to forget; in the rest of the world, the Internet is usually accessed via a public terminal at an Internet cafe, not a personal PC). Computer fingerprinting systems use various values that can be accessed by software on a computer including: serial numbers for hard drives, MAC addresses for network cards, and license keys to attempt to create a unique identify for each platform. This technique works much better if the subject does not know her computer is being fingerprinted, as the signatures can be changed by a motivated hacker.

THE MORRIS TRAP Robert “Bob” Morris invented and implemented the widely used scheme of using irreversible transforms to protect passwords. The huge advantage of this approach was that the transformed passwords could be stored in the computer’s main memory back in the days when memory, hardware, and software were all expensive. The first part of the Morris Trap is the misuse of the irreversible transform technique. Because people are people, we tend to use highly structured, predictable passwords. A hacker can test these passwords easily if he has a copy of the “hashed” or transformed passwords stored in a computer (which Morris’ technique allowed). If every password is processed with the same irreversible transform function, it becomes very efficient to run a dictionary attack against all of the different user passwords at once. This is not an error on the part of the actual transform technique as defined by Morris, but how it is incorrectly implemented by many, many programmers. To avoid the efficient dictionary attack, each password needs to have a distinct seed. Sometimes, the username is used, but it is better to actually generate a distinct seed value associated with a username. The second, and more serious, part of the Morris Trap is that hardware and storage are no longer expensive. Rather than relying on a mathematical technique that still allows fairly efficient dictionary attacks, it would be better to physically isolate passwords in a separate system that can only be queried at a relatively slow pace. In practice, relatively few attackers do have physical access to the target systems. If passwords are in a separate machine that is hard to attack, passwords are not nearly as weak a security mechanism as they are when the memory of the machine is remotely accessible. Buy a separate computer, give it a painfully simple, secure interface, and physically protect passwords and other sensitive data.

Chapter 29 Identity, Anonymity, and Privacy

301

It is very hard to have true anonymity online. People tend to forget that they are sending out a “return address” every time they do anything online via the Internet. Yes, there are services that can hide online users, but the performance and effectiveness of these services in reality should be questioned. Anonymity is kind of like cheating—everyone wants to be the only one who has/does it. Some online services do not want to support a strong identity management system, often to allow them to reach a larger audience, but still would like some level of accountability. Social networks, blogs, and web forums that authenticate users via username and password or email address are a good example. The standard solution is usually some sort of “web of trust.” The problem with a web of trust in an anonymous environment is that there is no cost or penalty for lying or creating additional identities. The classic way to attack a “web of trust” is to build your own large collusive web of untrustworthy people who “trust” each other. This is most easily implemented by all of them being you. Many individuals create multiple identities at a single online service for perfectly legitimate reasons. Because there is no tie to a real identity or any cost for creating an identity, it is possible to build an arbitrary reputation by generating enough identities and relationships to feed your “hero” identity. These anonymity architectures (like many mathematical systems) seemingly are designed by mathematicians for mathematicians. They exist in a world of equations and protocols, but tend to have real problems when “real life” intervenes. Little details, like implementing the system in hardware or software (much less the involvement of less-than-honorable people) can bring the security of these systems crashing down. Anonymous systems need some sort of cost for creating additional identities and motivating people to be honest about whom they are. The best method is a real financial cost to create an identity, but this often conflicts with the other goals of the online service that was considering anonymity in the first place. Even if a working anonymous system could be put together, would it be desirable? The data to-date on anonymous behavior online is pretty abominable— griefing, cheating, harassment, abuse, spamming, phishing, ID theft, and so on— and it is not like “free speech” is really protected by these systems. There is no “right to anonymity.” If the government (or, more likely, a motivated hacker) wants to find out who you are, they will. They will start tracking down IP addresses, read actual logs of systems, and find you.

302

Protecting Games: A Security Handbook for Game Developers and Publishers

So, at best, we have a veneer of anonymity that encourages bad behavior without protecting those rare instances where anonymity might have some positive social value. Bravo! What people actually can live with (I think) is a system of strong privacy (in the ordinary sense of the word) and strong identity. Thus, I may be free to explore alternative experiences with confidence that, as long as I don’t break the rules, very few folks will need to know who I am. This can be done. Technical systems need to be combined with good business practices and sensible laws and regulations.

A GE V ERIFICATION

with J. Price A variety of online problems could be resolved if a user’s age could be confirmed quickly, reliably, and under a consistent legal framework. Even better, how about a law with a “safe harbor” from liability for those who play by the rules and make a good faith effort to weed out underage or other inappropriate individuals from content they should not be able to access? Unfortunately, we’re not completely there, yet. Progress is being made. Age verification and identity verification are important “gateway services” necessary for a large number of online businesses. Today, unfortunately, there is no way to provide these services in a way that completely addresses liability concerns. The Adult industry uses click-agreements and payment systems as a “best practices/ best effort” solution. On the children’s front, we have COPPA, which does provide an actual means to verify the age/identity of a child (but not of an adult). Several companies offer general age verification services, including IMVU17 and Second Life18. Because both companies allow businesses to operate within their environment, should these virtual businesses trust IMVU or Second Life’s age verification or, for that matter, to what extent should IMVU or Second Life trust their age verification service providers? Not if the business faces any real liability for failing to accurately verify the age of a user. Neither IMVU nor Second Life nor the actual age verification providers offer any sort of insurance or liability protection to a business or individual who trusts the service and uses its result to make a business decision. IMVU ’s service only claims 90 percent accuracy, which is not very comforting in the world of rampant litigation.

Chapter 29 Identity, Anonymity, and Privacy

303

These new age certifications do have the advantage of being inexpensive, but they provide limited value to consumers or businesses. Ironically, one of the “features” of these new systems is really a weakness—their claim that no information is retained. If the “evidence” of identity was maintained, it could, at least, be used as the basis of a fraud investigation and action against any individuals who have misrepresented their identities. Instead, all we will know is that at some time some data was provided that the company assumed was associated with a specific individual. If you are going to target your game to children, follow the law. Know why certain laws apply or why they do not apply. Do not go halfway and kinda-sorta target children and then discover you “accidentally” have data on children. The rewards from following laws and regulations will far outweigh the risks of building your service and taking a chance that the government won’t notice. And, if you are going to hire a third party for this service, make sure you know where the liability falls if the system fails. The age verification provider may have a “safe harbor” clause that covers you, and they might not. One law that is important in this area is the “Children’s Online Privacy Protection Act,” frequently referred to as COPPA (often confused with “COPA,” the “Child Online Protection Act,” which has been successfully challenged in court). COPPA applies to the online collection of personal information from children under 13. The Federal Trade Commission (FTC) implements the law through a variety of regulations and suggested “best practices.” The FTC also sends out warnings to industry when it cracks down on those that violate the law. COPPA provides a “safe harbor” from liability for those who follow its guidelines. Industry groups or even individual businesses can create self-regulatory programs to govern compliance with COPPA. These guidelines must meet a checklist of legal requirements and then be submitted to the FTC for approval. Before approval, the FTC will make the guidelines public and ask for comments on whether the guidelines should be approved. If the FTC approves your guidelines, then you will generally have a “safe harbor” from any enforcement action for violations of COPPA. Although the “safe harbor” is tempting, it might not be the solution if your service targets children under 13 and collects information about the children. In most cases, those service providers avoid COPPA violations by adhering to strict rules. First, know whether your service is covered by COPPA. To determine whether a website is directed to children, the FTC considers several factors including, subject matter, visual or audio content, the age of models on the site, language, whether advertising on the website is directed to children, information regarding the age of the actual or intended audience, and whether a site uses animated characters or other child-oriented features.

304

Protecting Games: A Security Handbook for Game Developers and Publishers

Next, you need a carefully crafted and prominently placed privacy policy. Do more than post a compliant privacy policy—adhere to it. Also, note that the FTC’s regulations also require, among other things, that you obtain verifiable consent from the child’s parent before collecting data. Although COPPA does address legal liability for online identity for children under 13, solving online identity for everyone is a key problem for the future of advanced online services. The solution to this problem is important. Companies will need to be able to get a legal safe harbor for certifying identity and individuals will need to be held liable for identity fraud or theft. Unfortunately, it will require more than a technical solution. Someone is going to have to engage government to establish a legal safe harbor for online identity.

U SAGE C ONTROLS

AND

G AME A DDICTION

There is a wide perception that people can become addicted to computer games in the US19, in Europe, and in Asia. Whether this is true or not is beyond the scope of this book. What is relevant is that the perception that games are addicting is creating a public policy problem for the computer game industry. As of late 2008, there has been little public response of any kind to this issue from industry associations or individual companies. Asia, China20, Korea21, and Vietnam22 have all taken similar steps to restrict game usage. These controls are different than ordinary parental controls (see Chapter 30) in that they are not adjustable by an adult. In general, the response from the industry has not been very supportive, but most companies do not seem to be actively fighting regulation. No business lives in a vacuum and the failure of the games industry to respond to social concerns about game addiction reflects poorly on the industry and its maturity. It is also good business for an industry to lead public policy for issues that affect the industry’s livelihood. On the other hand, there is a real concern for governments seeking to control game companies and address game addiction: The global nature of the Internet makes it easy to move offshore and successfully avoid undesired regulations. This could give domestic companies a disadvantage compared to their less regulated, offshore counterparts. To understand usage controls, it is instructive to look at what the actual restrictions are. China has established limits on game usage that are far from onerous:

Chapter 29 Identity, Anonymity, and Privacy

305

Limits play of minors (only). Play up to three hours per day is not restricted. Play from three to five hours is penalized at 50 percent of normal in-game benefits. Play over five hours has no in-game benefit. Players must provide valid identities to play. These are not difficult restrictions. In the US, where games are largely based on monthly subscriptions, it would have no negative impact on revenues (and there may even be an upside with some players purchasing additional accounts). In Asia, where subscription games are typically metered hourly, the impact would be really only on extreme players. In both areas, “professional” players, like gold farmers, would feel the impact the most because these users are playing full-time (eight hours a day or more). Many of the “industry concerns” are based on the notion that the system can be circumvented. Of course it can, but it does not matter. The company is providing due diligence to protect minors with usage controls. The individual player would have to take positive action to subvert the security system. The game company has done its part, and it is up to the individual to also obey the law. For games with a U.S.-style subscription system, this scenario is probably “money in the bank.” After all, gold farmers and other heavy players would wind up buying multiple accounts—meaning more subscriptions—so a game company can probably match revenues to usage better for extreme players. The game industry worldwide probably should move to usage controls for players of all ages. The system would be closer to metering and would largely answer public policy concerns about game addiction and excess game playing. Finally, the real gem in this program is the requirement for the use of real identities. Although this may place an additional burden on companies in the short term to adequately protect privacy, strong online identity is necessary to the growth and vitality of the industry as a whole. In China, gold farmers increased the prices of their virtual items in anticipation of the implementation of the “anti-fatigue” usage controls. Whether this was due to projected loss of business due to fewer hours of play or because the gold farmers were concerned about an increase in the cost of their operations is unclear23. Griefing, fraud, unauthorized gold farming, and so on should become much, much more manageable with a strong identity system in place. This should lower the cost of operations for everyone.

306

Protecting Games: A Security Handbook for Game Developers and Publishers

The game industry would benefit from leading on issues such as usage limitations instead of simply reacting and focusing on the (alleged) short-term financial aspects of these legitimate social issues. The endless battles over age restrictions and success of anti-gaming activists in the US like Jack Thompson (and he has been a success in putting the entire U.S. video game industry on the defense in the matter of labeling and restricting game sales) should show the costs and risks of letting government and society get “ahead” of the industry on policy matters.

A CCOUNT C OMPROMISE , I DENTITY T HEFT ,

AND

P RIVACY

Millions and millions of personal records have been compromised due to negligence and malice. I’ve received at least two notifications that my personal data has been compromised: One time from a large defense contractor I hadn’t worked for in years (why was my information even in a “live” database?) and the other I just received from some firm that apparently has my information because of some stocks that I own. They all reassure me that there is “no evidence that your personal information has been misused.” What kind of “evidence” are they actually looking for? Welcome to the world of data disclosure, account compromise, and identity theft. Goodbye privacy. If you want to understand why there is so little concern about protecting your data, in the US, the standard fine for data disclosure is pretty low. The SEC recently fined a brokerage firm $275,000 for compromising the data of at least 10,000 customers24 and leaving the data unprotected for over a year. Approximate fine per person: $2.75 or less. Conversely, in Korea, NCsoft was fined 500,000 Won (around $500) per person for leaving a log file with 8,500 user IDs and passwords unprotected for just five days25. These cases raise some interesting questions: If the company can show that it keeps data protected so that a single incident does not lead to any meaningful compromise, can it avoid liability? This is certainly possible from an engineering perspective (via encryption, split data storage, and other techniques). Also, if the company has a strong logging system in place, it may be able to determine the scope of an incident in sufficient detail to reduce costs and better inform customers of whether they are actually at risk of identity theft (determine if the data has actually been accessed as opposed to just exposed and if the data has been accessed, by whom.).

Chapter 29 Identity, Anonymity, and Privacy

307

Should this be a payment to the consumer or a fine? If the compromise was of a username and password and no other information, the password compromise should be considered insignificant, if the company acted promptly and reimbursed users for any lost data during the period of the compromise. In this case, a fine is reasonable to encourage companies to avoid these compromises. The simple loss of a password for an extended period of time could arguably result in a fine and a payment to affected players for “losses.” Consumers need to be responsible and encouraged to use passwords in such a manner that the compromise of one does not affect their other accounts (thus, a company fine). Losses at the site are one matter, but the compromise of personally sensitive information is different. Credit card numbers, ID numbers, and so on, are sensitive, and have a long term value, can be used for other crimes, and are expensive and time-consuming to recover (once you figure out that identity theft has occurred, which is difficult in and of itself). Standards for prompt disclosure combined with an established schedule of fines and payments would encourage companies to take appropriate actions promptly and exercise better care with this information. Conversely, consumers should not be rewarded for irresponsible behavior on their part. Game companies have compromised data: A Japanese MMO compromised the full account information (excluding payment information) for nearly 300,000 customers because the data was accidentally placed on a download server26 and hackers gained access to Second Life’s entire user database, including usernames, real names, and encrypted passwords and encrypted payment information27. There are also cases of real malicious insiders. A database administrator at a consumer reporting agency in Florida stole 8.4 million data records and sold them for $580,00028. The list of incidents goes on and on. In 2007, Microsoft has had several problems with customer service representatives for Xbox Live succumbing to social engineering to provide passwords for other users accounts29, 30. What is frustrating about the Xbox case is that the customer service representatives should have been able to use the player’s Xbox console ID, which, presumably, is known to Microsoft but not to other players, to help confirm a player’s identity. Also, Microsoft should have had procedures in place to restore the integrity of the players’ accounts in cases where the accounts are compromised (all security systems need to be designed to recover from failures).

308

Protecting Games: A Security Handbook for Game Developers and Publishers

The costs for game companies can be serious. In 2006, K2 Networks estimated that they lost $1 million in one year due to hacking, account compromises, phishing, and identity theft31. The loss was not of direct revenues, but from lost “customers: “It’s not lost money generated daily, but lost customers that wouldn’t come back.” —David Lee, K2 Network Senior Director of Infrastructure and Engineering If these were lost customers, it is likely that the total losses would actually be a good bit larger. After all, online gamers tend to stay with the games they enjoy for a number of years. The game industry’s experience with personal data disclosures is consistent with other businesses. The typical cost to a company for a lost record was $197 for each customer record that was compromised in 2007—up from $182 in 200632. Game companies are high value targets. Identity thieves stole 230,000 identities from a number of online sites in Korea and many of them were used to create dummy accounts for gold farming in NCsoft’s Lineage games33. These costs clearly indicate that it is worth investing in improving information security technology and practices for any business that holds customer data. This investment should include protections against external hackers, errors, and internal crooks. Phishing attacks are a particular problem for online games. Forged emails that direct players to sites that download malware or solicit usernames and passwords are an ongoing problem for the industry. Virtually everyone has been hit, from World of Warcraft, Xbox Live, Steam, EverQuest II, EVE Online, Tibia, and probably everybody in between. Tools like Blizzard’s Authenticator security token and NHN’s challenge/response cards as well as the phone-based authentication systems being used in Asia are probably the best approaches to fighting these attacks (see the section “The Registration Problem and Identity Management Systems,” earlier in this chapter). Customer education and training can help, but social engineering attacks have a long, consistent history of success34.

L EGAL R EQUIREMENTS

FOR

P RIVACY P ROTECTION

by J. Price Privacy is a growing concern. Consider what type of data you actually need to retain. You do not have an obligation to secure any data that you do not keep. This is not a minor point. Keeping data—no matter how securely—means that the data

Chapter 29 Identity, Anonymity, and Privacy

309

is susceptible to being stolen or misused in any number of ways. If you require personally identifiable information from someone to play a game—such as a name, address, credit card number—you have security obligations, and must respond in specific ways if a data breach occurs. Issues arise with non-personally identifiable information, but the obligations are less serious. LEGAL REQUIREMENTS

IN THE

US

Most privacy protection issues occur in the context of online services, although the collection of personal information about people is not limited to online service providers, and the laws relating to protecting that information and appropriately reacting to data breaches are applicable to anyone who holds personal data. Data breaches can lead to state and federal enforcement actions and result in serious fines. In 2006, the U.S. Federal Trade Commission (FTC) settled charges with ChoicePoint, Inc. in connection with a breach involving the personal information of 163,000 persons. ChoicePoint was required to pay $10 million in civil penalties —the largest civil penalty in FTC history at the time—and to provide $5 million for consumer redress35. These potential fines are in addition to other laws that require you to notify all individuals whose records were lost if you suffer a data breach. As of August 2007, approximately 39 states have enacted legislation requiring notification of their citizens in cases of misappropriation of their personal information36. California is in the forefront with its tough requirements that require such notification5. Most states have followed California’s lead. Federal law will not likely be far off, but (as of the writing of this book) no law has yet been passed, although many drafts have been circulated. LEGAL REQUIREMENTS

FOR THE

EU

In the US, privacy controls include a mix of legislation, regulation, and self-regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of databases with those agencies, and in some instances prior approval before personal data processing may begin. The two fundamentally different approaches to regulating privacy can cause issues for companies engaging in trans-Atlantic transactions. To bridge these different privacy approaches and provide a streamlined means for U.S. entities to comply with the EU requirements, the U.S. Department of Commerce, in consultation with the European Commission, developed a “safe harbor” framework. The safe harbor is a voluntary means for U.S. companies to avoid facing prosecution by European authorities under European privacy laws.

310

Protecting Games: A Security Handbook for Game Developers and Publishers

Certifying to the safe harbor assures consumers that EU organizations certify that your company provides “adequate” privacy protection, as defined by the European Commission. Organizations that decide to participate in the safe harbor must comply with the safe harbor’s requirements and publicly declare that they do so. To be assured of safe harbor benefits, an organization must self-certify annually to the U.S. Department of Commerce, in writing, that it agrees to adhere to the safe harbor’s requirements. These requirements include elements such as notice, choice, access, security, data integrity, and enforcement. The game operator must also state in its published privacy policy statement that it adheres to the safe harbor. Further details can be found at the U.S. Department of Commerce Safe Harbor website37.

R EFERENCES 1. F. Dai (2005), “China: Real Name Registration for Instant Messenger,” http://www.globalvoicesonline.org/2005/07/21/china-real-name-registration-for-instant-messenger/ 2. Kim Y. (2007), “KOREA: Busy Websites Need Real Name Registration,” http://www.asiamedia.ucla.edu/article-eastasia.asp?parentid=60686 3. Korea.Net (2005), “Foolproof ID to be Adopted for Online Registration,” http://korea.net/news/news/NewsView.asp?serial_no=20051031013&part=109&SearchDay=&source= 4. Federal Trade Commission (1998), “Children’s Online Privacy Protection Act of 1998,” http://www.ftc.gov/ogc/coppa1.htm 5. California (2002), “SB 1386,” http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html 6. Kim T. (2006), “Internet Operators Face Suit Over Privacy Infringements,” http://search.hankooki.com/times/times_view.php?term=online+game++&path=hankooki3/times/lpage/ nation/200605/kt2006052516592810510.htm&media=kt 7. J. Robertson (2008), “ID Thieves Drive Down Prices for Stolen Data,” http://www.usatoday.com/tech/news/computersecurity/infotheft/2008-04-08-internet-securitymarket_N.htm?csp=34 8. S. Bowers (2006), “Players Walk Away as US Law Wipes Out 90% of PartyGaming’s Poker Revenue,” http://www.guardian.co.uk/business/2006/oct/17/usnews.gambling 9. S. Davis (2006), “Payment Card Spoofing: Subverting Identity & Cheating,” http://playnoevil.com/serendipity/index.php?/archives/791-Payment-Card-Spoofing-Subverting-IdentityCheating.html 10. Xinhua (2006), “Fake Identities Open Up Games, Blogs, Websites,” http://www.chinadaily.com.cn/china/2006-12/27/content_769097.htm 11. Kim T. (2006), “Teenage Porn Case Fuels Online Identification Debate,” http://search.hankooki.com/times/times_view.php?term=porn++&path=hankooki3/times/lpage/tech/20 0610/kt2006101619305711780.htm&media=kt 12. S. Burns (2006), “Korea Guards Against Online ID Theft,” http://www.pcauthority.com.au/News/61055,korea-guards-against-online-id-theft.aspx

Chapter 29 Identity, Anonymity, and Privacy

311

13. Blizzard (2008), “Blizzard Authenticator (United States Only),” http://www.blizzard.com/store/details.xml?id=1100000182 14. Wohn D. (2006), “NHN, NCsoft and Identity Security in Korea,” http://playnoevil.com/serendipity/index.php?/archives/872-NHN-NCsoft-and-identity-security-inKorea.html (original article at JoongAng Daily no longer available) 15. J. Wyss (2006), “Sentry to Play Cop, Chaperon Online,” http://playnoevil.com/serendipity/index.php?/archives/282-Mom,-Hes-Not-A-Convicted-Felon-TheNew-Standard-For-Online-Dating-Games-in-Naughty-America-The-Game.html (original article at Miami Herald no longer available) 16. R. Hsu (2007), “Shanda’s Aurora Bans Transsexuals,” http://www.pacificepoch.com/newsstories/106627_0_5_0_M/ 17. IMVU (2007), “Age Verification FAQ,” http://imvu.com/catalog/web_info.php?section=Info&topic=age_verification_faq 18. Virtual World News (2007), “Second Life Adds Identity Verification,” http://www.virtualworldsnews.com/2007/08/second-life-add.html 19. J. Wagner (2008), “Addiction to Video Games a Growing Concern,” http://health.usnews.com/articles/health/2008/05/07/addiction-to-video-games-a-growing-concern.html 20. S. Davis (2007), “China: Anti-Fatigue System Regulation Translated,” http://www.playnoevil.com/serendipity/index.php?/archives/1510-China-Anti-Fatigue-SystemRegulation-Translated.html 21. Kim T. (2006), “Bill to Limit Time for Online Games,” http://search.hankooki.com/times/times_view.php?term=online+game++&path=hankooki3/times/lpage/ tech/200605/kt2006051918332111780.htm&media=kt 22. B. Hayton (2007), “Vietnam Restricts Online Gaming,” http://news.bbc.co.uk/2/hi/asia-pacific/6225505.stm 23. H. Lee (2007), “Fatigue System Pushes Up Virtual Item Prices,” http://www.pacificepoch.com/newsstories/95096_0_5_0_M/ 24. G. Risling (2008), “Brokerage Firm to Pay Fine for Security Breach,” http://www.forbes.com/feeds/ap/2008/09/11/ap5414745.html 25. Chosun Ilbo (2006), “Landmark Ruling Against ‘Lineage’ Maker Over Data Leak,” http://english.chosun.com/w21data/html/news/200604/200604280026.html 26. W. Wyman (2006), “Japanese MMOG Suffers Privacy Leak,” http://www.gamespot.com/news/6153299.html 27. V. Cole (2006), “Second Life’s User Database Breached,” http://www.joystiq.com/2006/09/09/second-lifes-user-database-breached/ 28. D. Goodin (2007), “IT Pro Admits Stealing 8.4M Consumer Records,” http://www.channelregister.co.uk/2007/12/04/admin_steals_consumer_records/ 29. J. Evers (2007) “Microsoft Probes Possible Xbox Live Fraud,” http://news.cnet.com/Microsoft-probes-possible-Xbox-Live-fraud/2100-7349_3-6169060.html 30. R. Lemos (2007), “Account Pretexters Plague Xbox Live,” http://www.securityfocus.com/news/11452 31. L. Sullivan (2006), “Thieves Targeting MMOGs Prompt Tighter Security,” http://www.techweb.com/wire/security/192700321 32. R. Blitstein (2007) “Cost of Compromise: a Customer Record Costs a Company $197 each in 2007,” http://www.playnoevil.com/serendipity/index.php?/archives/1776-Cost-of-Compromise-a-CustomerRecord-costs-a-company-197-each-in-2007.html (original article at San Jose Mercury News no longer available)

312

Protecting Games: A Security Handbook for Game Developers and Publishers

33. S. Burns (2006), “Identity Theft Victims to Sue NCsoft,” http://www.vnunet.com/vnunet/news/2151224/identity-theft-victims-sue 34. J. Timmer (2008), “Fake Popup Study Sadly Confirms Most Users Are Idiots,” http://arstechnica.com/news.ars/post/20080923-study-confirms-users-are-idiots.html 35. Federal Trade Commission (2006), “ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress,” http://www.ftc.gov/opa/2006/01/choicepoint.shtm 36. Consumers Union (2007), “Notice of Security Breach State Laws,” http://www.consumersunion.org/campaigns/Breach_laws_May05.pdf 37. Export.gov (2008), “Welcome to the Safe Harbor,” http://www.export.gov/safeHarbor/

30

Protecting Kids from Pedophiles, Stalkers, Cyberbullies, and Marketeers

nline games and virtual worlds whose primary customers are children are probably the fastest growing portion of the online game industry. It is gratifying that many of these services take the issue of protecting children seriously. Protecting children online is an increasing concern to mainstream media—it has even been the lead letter to “Dear Abby”1. Parents and public officials worry about pedophiles and stalkers harassing their children. The available data actually indicates that cyberbullying and harassment by other children is a much more significant problem.

O

For example, the media often cites a claim that one in seven children has been contacted by a sexual predator. The more accurate number is that 1 in 25 children received an online sexual solicitation from someone (not necessarily a predator) that includes an attempt to meet in real life. Interestingly, most adults flatter youth, they don’t lie, and they don’t misrepresent their age or interest in sex. The young people involved are not pre-teens, but typically 13-15 years of age and the (potential) crime is statutory rape, not forcible rape2. The details of this issue are important enough to quote at length; see the following quotation. 1) These solicitations did not necessarily come from “online predators.” They were all unwanted online requests to youth to talk about sex, answer personal questions about sex, or do something sexual. But many could have been from other youth. In most cases, youth did not actually know the ages of solicitors. When they believed they knew, they said about half were other youth. 2) These solicitations were not necessarily devious or intended to lure. Most were limited to brief online comments or questions in chat rooms or instant messages. Many were simply rude, vulgar comments like, “What’s your bra size?”. 3) Most recipients did not view the solicitations as serious or threatening. Twothirds were not frightened or upset by what happened.

313

314

Protecting Games: A Security Handbook for Game Developers and Publishers

4) Almost all youth handled unwanted solicitations easily and effectively. Most reacted by blocking or ignoring solicitors, leaving sites, or telling solicitors to stop. 5) Extremely few youth (only two) were actually sexually victimized by someone they met online. This number was too small to be the basis of a reliable estimate of how many youth in the population get sexually victimized from online meetings. …. 1 in 25 youth (about four percent) got “aggressive” sexual solicitations that included attempts to contact the youth offline. These are the episodes most likely to result in actual victimizations. (About one-quarter of these aggressive solicitations came from people the youth knew in person, mostly other youth.) 1 in 25 youth (about four percent) were solicited to take sexual pictures of themselves. In many jurisdictions, these constitute criminal requests to produce child pornography. * 1 in 25 youth (about four percent) said they were upset or distressed as a result of an online solicitation. Whether or not the solicitors were online predators, these are the youth most immediately harmed by the solicitations themselves. —Crimes Against Children Research Center (December 2007) Some more recent data has shown that online harassment (cyberbullying) has risen to nine percent of children who go online, substantially less than the 17 percent who are bullied in real life3. The Internet, in general, and online games, in particular, are easy targets for child protection advocates. Symantec recently completed a study of online behavior. Some of the most interesting data shows how ignorant parents are of what their children are doing online. In many cases, the parents underestimate the length of time their children are online by a factor of 10 and only a third of parents take advantage of available parental controls4. Good parental controls could be a real business opportunity, not a burden for game companies. Incidents such as the case of an 11-year old New Zealand boy who used his mother’s credit card to spend $1500 on virtual items in There.com5 are not the sort of attention the industry needs. Parental controls can even become powerful marketing tools: T-Mobile, AT&T, and Verizon have all announced initiatives to give children an “allowance” for mobile phone minutes and SMS messages6. The game industry has taken some steps to address these issues. Microsoft launched its Family-Safe Gaming Initiative7 and NCsoft has a similar PlaySmart

Chapter 30 Protecting Kids from Pedophiles, Stalkers, Cyberbullies, and Marketeers

315

Initiative8. What the game industry really needs is to launch and sustain an industrywide campaign to educate parents about appropriate and safe gaming, as well as provide parents with useful tools. Monitoring inter-player communications and game play is particularly important for children’s games, but is also a sensitive topic in games for general audiences and for adults. Game operators need to balance providing a safe, functional game environment with addressing privacy and legal concerns. One of the most misunderstood subjects for children’s games is The Children’s Online Privacy Protection Act (COPPA)9. COPPA has been misinterpreted and caused many game creators to steer away from creating online games and virtual worlds that allow children to play. In fact, COPPA can provide a legal safe harbor for those online services that comply with its requirements. Increasingly, there are third-party companies that offer services to help game providers protect children. With the exception of certain providers certified under COPPA, these third-party firms can only provide a “best effort” or “best practices” service and cannot really help a game company reduce its liability if problems occur. The ultimate goal for the game industry would be for online games and other online services to effectively protect children globally through a standard and accepted combination of procedural and technical measures. Today, it is a daunting challenge to determine adequate, let alone best, practices.

D EALING

WITH

C YBERBULLIES , P EDOPHILES ,

AND

S TALKERS

As noted previously, public perception is that the online pedophiles and stalkers are a much worse problem than is actually the case. The fact that it is newsworthy when such incidents occur is a tribute to their relative rarity. Cyberbullying, on the other hand, is relatively widespread—25 percent of girls and 11 percent of boys in middle school reported being harassed electronically at least once in the previous two months, according to a 2005 study of cyberbullying by Clemson University researchers10: Psychological studies show that people will do more, go further, than they would normally, if their identity is obscured. Online, it is easy to remain anonymous, and the normal frustrations of daily life can lead to what psychologists call disinhibition. Cyberbullies, pedophiles (or child molesters), and stalkers all take advantage of the relative anonymity of the Internet to pursue their goals. [see the following for additional details on the topic: 11, 12, 13, 14].

316

Protecting Games: A Security Handbook for Game Developers and Publishers

Although there are some technical tools that an online service can use to automatically filter online communications looking for behavior associated with bullying, grooming, or stalking, the key is human oversight, preferably by the children’s parents. Although such technologies may be helpful, it is unlikely that they will transfer liability from the online service. The Clemson research recommended the following guidelines for parents: Teach your kids that, although your identity can be hidden when you’re online, you still should treat people with respect. Make sure your children have no online secrets from you, and that they never share private information over the web or meet with someone they only know from an IM session. Put their computers in a space, such as a den, where you can see what they’re doing. You should know the passwords for all their accounts and check on what they are posting. —Dr. Robin Kowalski, Clemson University Technically, online games should provide tools to make it easy to report griefing or other suspicious behavior and support extensive logging both for the company and for parents (see the next section for more information). Again, this is an area where the industry has an opportunity to provide leadership through advocacy and by public awareness and education.

K IDS ’ C OMMUNICATIONS , P ARENTAL C ONTROLS ,

AND

M ONITORING

The security issues related to protecting children’s communications are, essentially, the same issues that exist for adults—with substantially increased visibility and sensitivity to failures. For adults, the problem is nuisance griefing (see Chapter 21); for children issues of cyberbullying, stalkers, and pedophiles raise the stakes much higher. There are several strategies companies commonly use to secure “kidfriendly” online services: Menu-Driven Communications—Menu-driven systems allow only certain words and phrases to be constructed based on user selection from a list. The advantage of this system is that it essentially requires no monitoring, as the participants are incapable of expressing any inappropriate phrases. This is often the default communication service supported by many kids’ game sites. These systems are not perfect. Children and adults have created “covert channel” communications systems on these services, or even used decorations in any

Chapter 30 Protecting Kids from Pedophiles, Stalkers, Cyberbullies, and Marketeers

317

personal, customizable space in the game (or even clothing, I’d guess), to exchange data and allow expanded chat (see the “Friend Codes” bullet)15. Whitelist Chat—These services allow players to use only specific, preapproved words for communication. Site moderators have to continually monitor game slang to identify new euphemisms for inappropriate topics such as cybersex. There are also issues where motivated players can use legal phrases to signal inappropriate information. Blacklist Chat—This type of chat service blocks words and phrases that are inappropriate. It needs to be constantly updated as new “problem words” are identified. In practice, this should not be difficult. A real-time monitoring team can be alerted whenever a new word arrives and it can be added to either a whitelist or blacklist. In practice, relatively few words are used, even with misspellings, so this is not a challenge for an automated filter. Club Penguin has 100 moderators who add 500 to 1,000 words per day to the site’s filters16. Personal Blacklist—Sites can be concerned about personal information, such as addresses, phone numbers, and email addresses, when children attempt to share the personal info. This information may not be sensitive to everyone, but when associated with a specific child, it indicates a potential problem—often innocent, sometimes not. Silent Filter—Club Penguin created this innovation for their Standard Safe Chat system. Many sites will filter a specific word or phrase only if it is deemed inappropriate. Some sites will also notify users that they have said something wrong. Club Penguin’s system fails silently: The sender does not know that the system rejected her message. The goal of the system is to not give the offender any positive feedback—either from the recipient or from the security system— so that she does not have information to “tune” her abuse strategy17. Friend Codes—These sequences of letters and/or numbers need to be exchanged outside of a game or online service before communications can occur. They are most closely associated with Nintendo’s DS and Wii consoles. Many users criticize them, but most children’s online games use the technique. Because this technique forces a communication outside the game, the participants need to have some sort of independent, hopefully pre-existing, relationship of trust. Monitoring—Many children’s games use manual monitoring by company staff to look for troublesome behaviors of all sorts. These people act as supplements to the automated filters and can intervene in various ways when they identify a suspicious communication. The content of the communication does not need to trigger intervention, only the fact that it is a new or an anomalous pattern of behavior. Strictly speaking, monitoring does not always need to occur in real-time; it can be slightly delayed or even used for simple review of logs.

318

Protecting Games: A Security Handbook for Game Developers and Publishers

These strategies can be used either in isolation or together. Many children’s sites have different tiers of service with menu-driven communications available to all and more flexible chat options for paying customers or individuals who have provided detailed information about their identity. As with other online services that have relied on text-based communications, the rise of audio and video communications can pose a real challenge for protecting children. Filters, word lists, and the other strategies that have been effective so far for protecting children online are not really viable for video or audio communication services. In addition to protecting communications, some games implement additional parental controls, but typically, these are quite remedial. Games like World of Warcraft, Lineage, and the Xbox Live service all have basic time limits, schedules, and payment status tools. There are a number of additional capabilities that could be useful for children’s online services and would make the services even more appealing to parents: Time Limits—An overall time allowance for hours of play per day or per week. Schedules—Hours during which online activities are permitted or prohibited. “Grounding”—The ability to prohibit a child from playing because of misbehavior. Special Reward—The ability to temporarily add hours, open up a schedule, or otherwise alter the game usage for the child. This could even be implemented by a separate interface to a cell phone, allowing the parent to be “untethered” from the playing child. Payment Status—Current funds in the players account. Allowance—A rate at which the child can spend money in the game account. This is particularly applicable for free-to-play games or multi-game services. Message and Activity Log Review—John Smedley, CEO of Sony Online Entertainment, noted that it would be helpful for parents to be able to review the full logs of their children’s messages activities in an online game18. Actually, there is no reason that parents should not be able to review the activities of their child online beyond just messaging, perhaps even a full game or online session replay feature. Approved Friends List—Parents could have the ability to approve friends or move them into different categories. This could be beyond the basic “communication type” limitations that many services support today.

Chapter 30 Protecting Kids from Pedophiles, Stalkers, Cyberbullies, and Marketeers

319

Event Notification—Alert parents of notable events in the game. These do not even need to be relevant to child safety (although it is probably unwise to abuse them too much for marketing purposes). This would be another opportunity to directly contact parents via SMS messages to cell phones or email and create a strong, direct relationship with the parents. Ratings System Support—Online games are going to need to develop their own ratings system or become more involved in the traditional games rating process. The more information parents have, the more comfortable they will feel with these online services. Rich Family Structure—It would be very beneficial to support multiple children and parents/guardians under a single account with appropriate privileges and capabilities for each. The service could even support temporary access for baby sitters and for friends of the children, which could also be good for business. Parent-Child Contract—Barbie Girls came up with an excellent idea for its Parents’ Place service: a tool that helps parents and children build a contract for when, where, and how the child can use the online service19. One feature that many parents would likely appreciate would be a “parental dashboard” that would allow a parent to centrally manage all of the online activities of their child or children at all of the sites that the children use. It often seems that game developers view parental controls as a burden instead of an opportunity to take care of the real customer. After all, it is usually the parent who pays for the service. A market is beginning to develop for security products and outsourced services related to protecting children20. In addition to technical capabilities and costs, companies that are investigating such services should consider whether they can transfer any liability to the service provider. Monitoring is not used solely for children’s games. There are additional issues related to monitoring, particularly privacy, that should be considered regardless of whether the participants are children or adults (see Chapter 29).

COPPA

with J. Price Children are often the direct or indirect audience for many games, including online games. Providing the game to them, and collecting various data associated with their use of the game, will require game companies to adhere to the Children’s Online Privacy Protection Act of 199821 (COPPA). (COPPA should not be confused

320

Protecting Games: A Security Handbook for Game Developers and Publishers

with COPA, the Child Online Protection Act, which addresses the exposure of children to online pornography.) COPPA applies to websites and online services operated by persons or entities under U.S. jurisdiction for commercial purposes that are either directed to children under 13 or who have actual knowledge that children under 13 are providing information online. COPPA is not optional. It is the law and companies have been fined substantially, in one case, $1 million for violating the statute22. Online game developers seem to be petrified of children using their services. The prospect of complying with COPPA and not marketing to kids seems to have driven many companies to restrict their market to children 13 and up or adults. It is interesting to note that parents are very active in children’s games. In the social network and doll “dress up” game, Stardoll, a survey found that 80 percent of surveyed children and 54 percent of surveyed parents visit the site daily. Parents seem heavily involved: 75 percent visiting the site along with their daughters at least once a week, 64 percent visiting on their own, and 60 percent having their own accounts23. COPPA does not ban marketing to children; it provides rules on how to do it. The law details, for example, what an online game operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, what responsibilities an operator has to protect children’s privacy and safety online, and includes restrictions on marketing to children under 13. An important element of COPPA is potential legal immunity. The Federal Trade Commission (FTC) implements a “safe harbor” designed to encourage increased industry self-regulation. To take advantage of the safe harbor, the FTC must approve the set of compliance guidelines that the company employs.24

C HILDREN

AND

I DENTITY

Protecting children’s identity is a particular challenge. In the US, a child’s privacy is protected under COPPA, and as a practical matter mishandling children’s identity information is bad business and worse public relations. Kids don’t see identity protection this way. They want to play games, and there is nothing like saying “no” to encourage devious behavior. When a player registers, even an adult, the goal of the registration process is to deter bad behavior, but some parents will also collude with their children to “game” the system. A good system should include both carrots and sticks for establishing and protecting identity: rewards and punishments. Verifying identity online is a hard problem; face-to-face identity verification is not. However, verifying face-to-face identity is not cheap. One answer is to get the users to pay to have their identities verified.

Chapter 30 Protecting Kids from Pedophiles, Stalkers, Cyberbullies, and Marketeers

321

How about a T-shirt? One way to get users to pay for identity verification is through the physical delivery of goods. Delivery services (such as UPS and FedEx or even the Post Office) offer the ability to confirm identity via signature receipt. It is fairly expensive to pay for this service purely as an identity verification method. However, consumers will often pay to receive a T-shirt, poster, or other items (“carrots”). The marginal cost of adding signature verification is low to a product delivery and, of course, the consumer is now actively engaged in marketing your game. The worst-case scenario is that you might have to convince your marketing department to subsidize the shirts or items. An approach to handling identity misrepresentation is assessing an obvious, serious financial penalty for misrepresenting information and the threat of legal action (the “sticks”). For example, the game provider could levy a $250 charge for handling and revoking a fraudulent identity. And, because identity theft and credit card theft are both crimes, the service provider should be willing to pursue legal action and do so conspicuously and publicly. Both of these threats would be highlighted during the registration process with a clear, explicit acknowledgement by the user when completing the process. If an incident does present itself, the company should be willing to follow through by enforcing the fine or taking legal action, or both. If the service provider does take legal action, it should do so publicly. Publicity will aid the company’s credibility and deter future problems.

C HILD P ORNOGRAPHY

with J. Price Players may create or post child pornography onto your online service, unfortunately, and it must be dealt with quickly and appropriately. Federal law imposes significant penalties for the online (and off-line) distribution of child pornography. Any entity providing any online service, including a game, must report any facts or circumstances around possible violations of federal child pornography laws to a law enforcement agency25 or the Cyber Tip Line at the National Center for Missing and Exploited Children (1-800-843-5678—see also http://www.missingkids.com/ cybertip/). Any person who knowingly and willfully fails to make a required report will face serious consequences, including fines of $50,000 for the first offense and $100,000 for subsequent offenses26. The legislation does not require an online service provider to monitor any user, subscriber, or customer, or the content of any communication of any user, subscriber, or customer, and immunizes game operators and ISPs from civil lawsuits if

322

Protecting Games: A Security Handbook for Game Developers and Publishers

they take good-faith actions to comply with the legislation27. But game operators must respond quickly to any report of child pornography and involve law enforcement just as quickly. Turning a blind eye to an end-user complaint regarding content, especially if it is—or could be—child pornography, will very likely result in prosecution.

R EFERENCES 1. Dear Abby (2007), “Online Video Game Threat Catches Parents Unaware,” http://www.uexpress.com/dearabby/?uc_full_date=20070915 2. Crimes Against Children Research Center (2007), “1 in 7 Youth: The Statistics About Online Sexual Solicitations,” http://www.unh.edu/ccrc/internet-crimes/factsheet_1in7.html 3. Crimes Against Children Research Center (2007), “Internet Safety Education for Teens: Getting It Right,” http://www.unh.edu/ccrc/internet-crimes/safety_ed.html 4. Symantec (2008), “Parents, Get a Clue!,” http://www.marketwire.com/press-release/Symantec-NASDAQ-SYMC-820494.html 5. R. Markby (2006), “New Zealand Boy Runs Up $1,500 Debt in There,” http://playnoevil.com/serendipity/index.php?/archives/962-New-Zealand-boy-runs-up-1500-debt-inThere.html (original story at Stuff no longer available) 6. B. Tedeschi (2008), “How to Give Your Child an Allowance, the Mobile Way,” http://www.nytimes.com/2008/07/31/technology/personaltech/31smart.html?em 7. Edge (2006), “Robbie Bach Fronts Safe Gaming Campaign,” http://www.edge-online.com/news/robbie-bach-fronts-safe-gaming-campaign 8. S. Davis (2006), “NCsoft Launches ‘PlaySmart’ Information Program to Advance Online Gaming Safety, Security,” http://playnoevil.com/serendipity/index.php?/archives/764-NCsofts-PlaySmartInitiative-Hopefully-Just-the-Beginning.html (via PlayNoEvil: original article at Yahoo! no longer available) 9. Federal Trade Commission (1998), “Children’s Online Privacy Protection Act of 1998,” http://www.ftc.gov/ogc/coppa1.htm 10. B. Levine (2006), “Taking On the Cyber Bullies,” http://www.toptechnews.com/story.xhtml?story_id=02300000L9FA&page=1 11. D. Stang (2008), “How Pedophiles Groom Victims,” http://sexual-abuse.suite101.com/article.cfm/how_pedophiles_groom_victims 12. K. Lanning (2001), “Child Molesters: A Behavioral Analysis,” http://www.missingkids.com/en_US/publications/NC70.pdf 13. CyberBullyHelp.com (2007), “The Facts About Cyber Bullying,” http://www.cyberbullyhelp.com/whatis.html 14. P. Agatston (2007),“Cyber Bullying Quick Reference Guide for Parents,” http://www.cyberbullyhelp.com/Cyber%20Bullying%20Guide%20for%20Parents.pdf 15. The Good Reverend (2007), “How to Chat in Chatless Disney Online Game,” http://thegoodreverend.blogspot.com/2007/06/how-to-chat-in-chatless-disney-online.html 16. P. Elliot (2008), “MMO Week: Club Penguin,” http://www.gamesindustry.biz/articles/mmo-week-club-penguin

Chapter 30 Protecting Kids from Pedophiles, Stalkers, Cyberbullies, and Marketeers

323

17. S. Davis (2007), “Feature Article: Inside Club Penguin and its Child Safety Program—Updated Club Penguins purchased by Disney,” http://www.playnoevil.com/serendipity/index.php?/archives/1461FEATURE-ARTICLE-Inside-Club-Penguin-and-its-Child-Safety-Program-UPDATED-Club-Penguinspurchased-by-Disney.html 18. J. Smedley (2006), “Be Vigilant,” http://stationblog.wordpress.com/2006/08/21/be-vigilant/ 19. Barbie Girls (2008), “Barbie Girls Parents’ Place,” http://www.barbiegirls.com/parent_home.jsp 20. Virtual World News (2008), “Xivio Signs Crisp Thinking for Online Child Protection,” http://www.virtualworldsnews.com/2008/06/xivio-signs-cri.html 21. 15 U.S.C. §§ 6501–6506 22. Federal Trade Commission (2006), “Xanga.com to Pay $1 Million for Violating Children’s Online Privacy Protection Rule,” http://www.ftc.gov/opa/2006/09/xanga.shtm 23. N. Mitham (2008), “Stardoll: Fame, Fashion and Friends…and Mothers?,” http://www.kzero.co.uk/blog/?p=2140 24. Federal Trade Commission (2006), “How to Comply with the Children’s Online Privacy Protection Rule,” http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.shtm 25. 42 U.S.C. § 13032(b)(1) 26. 42 U.S.C. § 13032(b)(3) 27. 47 U.S.C. § 230; 18 U.S.C. § 2702(b)

31

Dancing with Gambling: Skill Games, Contests, Promotions, and Gambling Again

here is one place where playing games purely for fun collides hard with the real world: when gaming becomes gambling. Although game violence and game addiction have recently been the focus of media attention and public policy concerning the game industry, gambling is an area where game companies can rapidly get into very serious trouble.

T

I am addressing gambling, contests, and related topics in a book on game security for two reasons: Game companies can get into a lot of difficulty by veering into the gambling industry unintentionally. Once cash or prizes are involved, games are not just for fun, and the threat level to a game’s integrity goes up dramatically. The gambling gaming industry and the non-gambling gaming industry rarely seem to acknowledge the other’s existence. However, the explosive growth of online gaming and the wide range of business model experiments within the gaming industry are creating “accidental casinos” and “unintentional lotteries.” Governments have no sympathy for companies that make these kinds of mistakes. The temptation for game developers to edge towards gambling is pretty obvious. The potential to win cash or prizes is a huge incentive to participate in a game and substantially increases a player’s willingness to pay to play. Designing a casino game seems very simple: a deck of cards, a couple of dice, a wheel and ball, some green felt, and you’re in business. All legal U.S. gambling (including casinos, Indian casinos, charitable games, bingo, card rooms, and lotteries) generated $90.93 billion in gross gaming revenue in 20061; certainly enough money to catch anyone’s attention.

324

Chapter 31 Dancing with Gambling

W HAT I S G AMBLING

AND

325

W HAT I S N OT

In general, a game must have three elements to be considered “gambling”: (1) consideration to play (often money); (2) an element of chance; and (3) a prize. If the game lacks any one, it is not a gambling game…usually2. Game business models can be broken into the following categories (if you are considering gambling and related legal issues): No Prize: No Gambling, No Problem—Even if you charge to play or have an element of chance, if there is no prize, there is no gambling. No Consideration: Contests and Sweepstakes—As long as you do not have to pay to enter and all entrants have an equal chance to win all prizes (equal dignity is the legal term), the game is not gambling. There are certain U.S. states that are more restrictive in this regard. Personally, I use the “McDonalds Test.” Go get a McDonalds prize ticket and look where the contest is “Void Where Prohibited by Law.” This is a good list of the places where you can’t run contests. Consideration, No (Little) Chance, and Prize: Skill Game—If the game does not contain an element of chance, it is a skill game and not considered gambling. Typically, in the US, about 30 states use a “preponderance of skill” standard, another 10 have a “pure skill” standard, and the rest don’t allow skill games (contact your lawyer). Consideration, (Mostly*) Chance, and Prize: Gambling—A game that includes all three elements is not necessarily prohibited, but it is almost certainly regulated in most jurisdictions. For example, in the US, fantasy sports leagues, horse racing, and certain online lotteries are excluded from the Unlawful Internet Gambling Enforcement Act (UIGEA)3. There are also different rules for charitable gaming. (*)Interestingly, the law in Canada is reversed; if there is an element of skill in the game, it is not considered gambling 4. Nations and states may treat the gaming/gambling transaction as occurring where the player is, not where the server or business is located. This is an issue that needs to be explored more carefully from both the perspective of protecting a gaming company and as a matter of public policy. Some jurisdictions, most notably the US, France, and Israel5, have stated that if either party to the transaction is in their jurisdiction, the government has jurisdiction over both parties. The risk for a gaming company is that it may be operating in a jurisdiction where gambling is legal, but be at risk of prosecution in another jurisdiction because one of its players is located there.

326

Protecting Games: A Security Handbook for Game Developers and Publishers

Game designers can work their way around these issues, if they do so carefully. Trading card games allow players to create value for the cards independently of the value set by the game company. Games can also be redesigned to remove an element of chance. For example, Duplicate Bridge6 eliminates chance from a card game by having all partnerships play the same hands. The bottom line is that if you have any questions or doubts about whether your game is a gambling game, contact an attorney knowledgeable in this area of law.

A CCIDENTAL C ASINOS User-created content and emergent game play are usually wonderful things when they are part of your game. Players have taken online games and expanded them and transformed them far beyond the initial plans or intent of their creators. Game companies can experiment with new rewards and incentives for playing. All of these factors can sometimes cause a game to stumble into gambling: Linden Lab’s Second Life has been at the forefront of player creativity. One of the obvious, and, for a while, quite popular, options for players was to create a virtual casino that used the game’s currency. In 2007, Linden Lab asked the FBI to review these inworld services7 and shortly thereafter banned both advertising for gambling8 and all of the virtual gambling sites inside the virtual world9. In Korea’s intensely competitive online gaming market, the Lohan MMO, was launched and was surprisingly popular. It had a Baccarat “mini-game” that became very popular and which was of sufficient concern that Korea’s Media Rating Board (equivalent to the U.S. Entertainment Software Rating Board) asked that the game be removed10. Even more challenging to the boundary between gaming and gambling is the case of Sony’s Station Exchange. As discussed in the gold farming section of Chapter 22, Sony launched this online sales service as part of its strategy to fight gold farming. However, because Sony seems to have profited from the transactions and many of the virtual items had an element of chance involved in their acquisition, there were questions raised as to whether the UK’s new Gambling Act would require Sony to get a license11. Sony could perhaps avoid this potential problem if it set a flat listing or processing fee instead of a commission-based transaction service. NHN’s game Reign of Revolution embraced a more direct form of capitalism by allowing players to tax all of the transactions in regions that they controlled. This could potentially be quite lucrative, given the wide availability of real money trading sites in Korea12. As a world leader in online gaming, Korea is struggling with clarifying the distinction between gaming and gambling online. They have large-scale gold farming and, at the same time, casual gambling games (such as the card game Go-Stop and

Chapter 31 Dancing with Gambling

327

poker) that are widely played for large amounts of virtual currency. The government is considering penalizing players who trade more than 300,000 Won (around $290) in virtual currency per month13.

S KILL G AMES Typically, contests are pretty safe and non-controversial. There is no legal problem as long as players don’t have to pay to enter and they have an equal chance of winning the prizes. It is pretty easy to determine whether the game is a contest. Skill games are more problematic. Because payments are required to play, the boundary between jail time and a good business is based solely on the game design and implementation. Governments are not always helpful: The UK recently determined that poker was a game of chance14, whereas Denmark decided it was a game of skill15. Game developers have adapted a number of casual games to use the skill games business model16. Developers have even converted first person shooters into skill games, although to date, none of these endeavors has been financially successful17. There are a range of issues that game developers should consider when designing a skill game or converting an existing game to the skill game business model: Does the Game Have Enough Skill—There are a lot of games that are quite fun that don’t require much skill. The entertainment comes from the graphics, animation, and sound, simple game play, and substantial rewards. Because of the legal issues, developers have to be quite careful to ensure that the game will pass the “preponderance of skill” or “pure skill” test, depending on where the game company plans to operate and for which customers they wish to make the game available. Vulnerability to Attack—Many games are fun but not secure or even able to be secured. Single-player games often have optimal solutions that can be exploited and many multi-player games are very vulnerable to bots (see Part III on cheating). These design flaws may, in fact, be part of the appeal of the nonskill variants of the game, as players often enjoy the satisfaction of victory, even if it is gained easily. Single Player Game Design Issues—Very few online games for single players are designed to be implemented on the server. All of the game logic is on the player’s computer and the sole interactions with the server are to download the game and upload a score. These games are virtually impossible to protect, although they are commonly used for advergames and skill games.

328

Protecting Games: A Security Handbook for Game Developers and Publishers

Migration Issues—If a developer is working with an existing game, it is very tempting to reuse the already built and tested code. Because security is much less of a priority for a (non-skill) game, the existing game may have serious architectural and game design issues that could make it difficult to port securely. Skill Dominance/Sufficient Audience—Some games have very high learning curves and some players are substantially better than others. First person shooters often fit this profile, as do deep, strategic games like chess. These games make poor skill games because many typical players will have no confidence that they can win or improve enough that they can ever win. One reason that poker is so successful is that pretty much everyone thinks that they are an above average player. Another issue for skill games is that players do not necessarily trust the game service. Because money is on the line, players are likely to be concerned about insider cheating, shills (players paid by the game site to play the game), and other problems.

M ISCELLANEOUS S ECURITY I SSUES Contests, skill games, and gambling games are potential targets of all of the security threats discussed elsewhere in this book. Players will cheat, hack, gold farm, abuse tournaments, grief, and subvert their identities. In other words, some players will do pretty much anything to win cash or prizes. There are several potential security issues that are worth discussing further. GAME SERVICE SCAMS Online casinos and skill game sites can be intentionally criminal enterprises. Because they accept player payments and are potentially rewarding players with cash or prizes, there are many ways to defraud customers. Unfortunately, reputation is not very effective as a mechanism for preventing fraud because it is so easy to launch a new site and so easy to market it. Lack of regulations and the ability to shop for favorable jurisdictions makes it easier to set up and profit from a scam. Game scams can be fairly subtle since players expect to lose a portion of the time that they play. A slight change in the payout odds at a casino can turn into a huge amount of profit. Having shills (players affiliated with the game site) periodically win or defeat players can sustain their trust in the game. One of the reasons that we created our SecurePlay anti-cheating software was to help players be able to independently check that games are fair18. Of course, the easiest scam is to simply refuse to pay out winnings.

Chapter 31 Dancing with Gambling

329

The growing popularity of online games has also brought out some pyramid schemes tied to games. No doubt other forms of fraud will emerge. POKER, CONTEST,

AND

SKILL GAME BOTS

Bots are a hard problem for game developers to stop. At the end of the day, it is impossible to tell the difference between a human player using a mouse and keyboard and an automated program driving a mouse and keyboard. Gold farmers use bots against MMOs and are successful because it is economically worthwhile. Any time there is money involved, there is real potential for someone to figure out how to automate game play undetectably. As these types of online services grow, it would not be surprising to find “poker farmers” and “skill game farmers” using automated tools to exploit these games. These automation tools don’t need to be perfect, only sufficiently good that they can reliably make money without being easily detected by the game sites. There are really only two solutions—you can build games that are not “bot-able” and design game play so that it has a substantial psychological element. This is what has kept pokerbots at bay, so far19. The other option is to combine online with face-to-face play. Face-to-face competition in a controlled environment will keep bots out by definition. Public humiliation for failing in front of a large audience may further deter otherwise anonymous botters. LIVE PLAY Video feeds of remote, live games have been part of the online gambling industry for a number of years. Some players believe that these systems are more secure. But it is well known that traditional, regulated casinos periodically have problems with cheaters and an ordinary player with a webcam is highly unlikely to be able to detect any suspicious activity. Wholesale fraud by game sites is also possible. After all, the same technology that allows the virtual “first down line” to appear on your television screen during a football game20 could be used to present whatever cards or dice values you would like to a player.

L EGAL C ONSIDERATIONS

with J. Price Even small changes or additions of new features to a game could unwittingly trigger a host of laws and regulations. With a single change, a game can go from not being regulated at all to being subject to the same laws and regulations as the largest

330

Protecting Games: A Security Handbook for Game Developers and Publishers

casinos in the nation or being outright illegal. To complicate matters, laws change and courts often interpret provisions differently depending upon the jurisdiction of the court and specific application of the law. As noted previously, there are three elements in games that make a game a gambling game: (1) consideration to play (often money); (2) an element of chance; and (3) a prize. There are limitations to this shorthand rule, however. This is an industry with a variety of interweaving laws and regulations. It is often difficult to make a clear, legal distinction between various types of games. Definitional issues arise, in large part, because the laws and regulations are often purposely vague (to encompass present, future, perhaps currently unknown issues), and vary widely from one jurisdiction to the next. Not knowing whether your game incorporates gambling is not a legal defense against charges of running an illegal casino or lottery. Just as with speed limits, law enforcement will not care whether you were aware of the law when a potential offense occurs. Of course, one way to decrease the number of legal issues you have to handle is to make an effort not to create problems and to avoid pitfalls. The easiest way to keep your game out of the gambling category is to simply remove one of the three elements—not just tweak an element so it is arguably not part of the game, but completely remove it. For example, a game without any type of prize is not gambling, anywhere, anytime. If you develop a game that includes elements of gambling, you must be aware of criminal and civil laws and regulations that exist at both the federal and state level. Worldwide, gambling is often slightly less regulated than in the US, where there are very specific laws and regulations. There are also a variety of federal and state laws and regulations that do not specifically relate to either gaming or gambling, but are highly relevant to game developers, such as laws regarding privacy, consumer protection, fraud, money laundering, online content, as well as other laws and regulations that might be triggered depending on the type of game, where it is offered, and where it is played. You also should consider that the federal (and state) government will not be shy when it comes to prosecuting something it considers a crime, even if it seems obvious to you that its reading of the law is incorrect. Whether they win or lose in a lawsuit against you, it will be a distraction and may set your business off course. It will also likely be a costly, time-consuming experience. All of these different parts operate in a legal machine that includes something referred to as “prosecutorial discretion.” Under U.S. law, government prosecuting attorneys have broad authority to choose whether or not to bring charges, and what charges to bring, in cases where the evidence would justify charges.

Chapter 31 Dancing with Gambling

331

“Prosecutorial discretion” is typically the answer to the question: “Well, if it’s illegal, why is so-and-so doing it?” The fact that someone else is “doing it” does not mean that “it” is legal, or a prosecutor is not interested in the conduct; it simply means the person has not been prosecuted for it—yet. FEDERAL LAWS

AND

REGULATIONS

The most important law used by federal prosecutors for gambling is the Interstate Wire Act of 1961, (often called the Wire Act)21. This law addresses those engaged in the business of gambling and transmitting information relating to gambling by a wire (or wireless) communication device. There are exceptions written into the law, and not all courts agree on its breadth. The U.S. Fifth Circuit Court of Appeals, for example, has ruled that the Wire Act applies only to sports betting and not other types of online gambling22. In contrast, the law has been interpreted by some, including the U.S. Department of Justice, to mean that all online gambling is illegal. Another important federal law, the Illegal Gambling Business Act of 1970, prohibits gambling businesses, in general23. This law is particularly interesting because it is one of a few that intersect with state law. For a game business to be illegal under this law, the federal government must first establish that it is a gambling operation in violation of state or local law. This federal law exempts Las Vegas casinos, for example, where gambling businesses are legal under state law. But most online games are not regionally offered or limited to one state. In fact, the very success of a game can be the result of revenues in jurisdictions you never considered. A successful game could also trigger this and similar laws if a state law is violated, even unwittingly. Caution is warranted, especially if your game is of the type that might be considered gambling in some jurisdictions, and a legal game in others. If a problem arises in one of the more conservative jurisdictions, you could have an additional problem under federal law. A federal prosecutor can literally “make a federal case out of it.” Another federal law, referred to as the Travel Act, also may cause issues for unsuspecting game operators, and is another example of how an isolated act can turn into a much larger issue. This law is aimed at prohibiting interstate travel or use of an interstate facility in aid of an unlawful business enterprise such as illegal gambling. Similar to the Illegal Gambling Business Act, the Travel Act first requires a violation of another law to trigger the federal law. If the game is defined as illegal gambling in a jurisdiction, or if there is some other legal issue, that initial violation—or attempt to violate the law—will lead to further issues if interstate facilities were used to further the unlawful activity.

332

Protecting Games: A Security Handbook for Game Developers and Publishers

Similarly, the subject matter of a game can cause problems. For example, the Professional and Amateur Sports Protection Act of 199224 makes it unlawful for any government (including states and tribes) to authorize legal wagers that are based on sporting events. Exceptions to this law exist for some states, such as Nevada, which has its own specific laws concerning sports wagering. STATE LAWS

AND

REGULATIONS

In addition to laws that “make a federal case out of it,” states can cause plenty of difficulties. Worse yet, any number of states can sue simultaneously, and force you to defend yourself in multiple jurisdictions at once. Every state has laws to distinguish between games and gambling, and otherwise address issues that arise with games and gambling. Each also has laws in place to protect its citizens in a variety of ways that do not directly relate to games, and may not have been drafted with games in mind, such as laws requiring appropriate disclosures, tax laws, data security statutes, and catch-all laws that are used to protect consumers in any number of circumstances. Although each state regulates games in some way, two states stand out— California and New York. Each has aggressive laws covering games and gambling. New York provides a good example of a state that bars gambling in its constitution25, and prosecutes cases vigorously. Under New York law26, “games of chance” are separately addressed, including a specific exception for bingo for senior citizens27. Similarly, California has laws regulating the difference between gambling and gaming28 and very aggressive consumer protection laws. When you consider a state’s tolerance for any type of game or related activity, it is instructive to look first at the state’s statutes and regulations, and then at the state’s court cases with a focus on: Jurisdiction (whether the state laws apply to a particular game and entity or person providing the game). The elements that distinguish gaming from gambling (reviewed previously) that are often interpreted differently by different states. Even if two states have similar laws, they might apply their laws differently. This happens because each state has a myriad of cases that have gone through the court system that interpret important elements of games in the context of varying facts. For example, at least one court in Washington state has found that consideration does not have to be defined as money. Consideration could be someone’s time and effort to obtain prize slips, even though the game pieces were available without

Chapter 31 Dancing with Gambling

333

purchase and therefore might be gambling in Washington29. In contrast, another court, in a different state (Michigan), found that any effort that is a mere inconvenience to the participant is insufficient to qualify as consideration and therefore the same type of game was not determined to be gambling30. To avoid any confusion about the legal status of different types of games, some states simply prohibit all pay-for-play skill games that include prizes. Other states use a sliding scale, with what is referred to as a “predominance test.” If the element of skill in a game predominates over chance then the game is permitted. For some games, such as chess, the distinction is clear; for other games, such as poker, the answer is more ambiguous because poker includes both chance and skill elements. Skill games are allowed in about 30 U.S. states if the games have a preponderance of skill; in 10 states a skill game is legal only if it is a pure skill game; and in the remaining 10–12 states, skill games are illegal. Unfortunately, there is no standard, simple process to determine which legislation or regulations are applicable to a given game within the US. You need to look carefully at court precedent and applicable laws and regulations.

R EFERENCES 1. American Gaming Association (2007), “Gaming Revenue: Current-Year Data,” http://www.americangaming.org/Industry/factsheets/statistics_detail.cfv?id=7 2. Direct Marketing Association (2008), “Sweepstakes Advertising: A Consumer’s Guide,” http://www.dmachoice.org/Sweepstakes/ 3. Wikipedia (2008), “SAFE Port Act,” http://en.wikipedia.org/wiki/SAFE_Port_Act 4. S. Davis (2008), “Notes on Skill Games and Contests from the Next Generation in Gambling Conference,” http://playnoevil.com/serendipity/index.php?/archives/2150-Notes-on-Skill-GamesContests-from-the-Next-Generation-in-Gambling-Conference.html 5. B. Hansen (2007), “Israel Bonds with US Over Online Betting Ban,” http://www.theregister.co.uk/2007/02/08/online_betting_israel/ 6. Wikipedia (2008), “Duplicate Bridge,” http://en.wikipedia.org/wiki/Duplicate_bridge 7. A. Reuters (2007), “FBI Probes Second Life Gambling,” http://secondlife.reuters.com/stories/2007/04/03/fbi-probes-second-life-gambling/ 8. Linden Lab (2007), “Advertising Policy Changes,” http://blog.secondlife.com/2007/04/05/advertising-policy-changes/ 9. Linden Lab (2007), “Wagering in Second Life: New Policy,” http://blog.secondlife.com/2007/07/25/wagering-in-second-life-new-policy/ 10. Jun S.H. (2006), “Virtual World or Virtual Vegas?,” http://gamestudy.org/eblog/2006/05/03 /virtual-world-or-virtual-vegas/http://gamestudy.org/eblog/2006/05/03/virtual-world-or-virtual-vegas/ 11. Virtual World News (2007), “UK Gambling Act: How to Protect Your Virtual World,” http://www.virtualworldsnews.com/2007/07/follow-up-on-uk.html

334

Protecting Games: A Security Handbook for Game Developers and Publishers

12. Cho J. (2006), “Jungle Law and Taxes Apply in ‘R2’,” http://search.hankooki.com/times/times_view.php?term=online+game++&path=hankooki3/times/lpage/ culture/200605/kt2006051418022511710.htm&media=kt 13. Bae J. (2008), “‘Habitual’ Online Item Buyers Face Sanctions,” http://www.koreatimes.co.kr/www/news/nation/2008/06/113_26515.html 14. BBC (2007), “Man Guilty in Poker Skills Case,” http://news.bbc.co.uk/1/hi/england/london/6267603.stm 15. Online Poker News (2007), “Danish Court Rules Poker Skill Game,” http://www.onlinepoker-news.com/20070723/danish_court_rules_poker_skill_hjb.aspx 16. FUN Technologies (2007), “WorldWinner and PlayFirst Team Up to Create Diner Dash Online Cash Competitions,” http://www.marketwire.com/press-release/Worldwinner-763678.html 17. P. Elliot (2008), “Kwari Shuts Down,” http://www.gamesindustry.biz/articles/kwari-shuts-down 18. IT GlobalSecure (2008), “SecurePlay,” http://www.secureplay.com/ 19. J. Woo (2008), “Poker Bots: The Future of Online Poker is Doomed!,” http://www.gambling911.com/poker/poker-bots-online-poker-doomed-081008.html 20. S. Brannan (2008), “How the First-Down Line Works,” http://entertainment.howstuffworks.com/first-down-line.htm 21. 18 U.S.C. § 1084 22. United States v. McDonough, 835 F.2d 1103, 1105 n. 7 (5th Cir. 1988) 23. 18 U.S.C. § 1955 24. 18 U.S.C. § 1955; Pub. L. No. 102-559, 106 Stat. 4227-4229 (1992) 25. New York Constitution, Article 1, Section 9 26. New York Penal Law, Article 140, 225.00 (“Gambling Offenses”) 27. New York Penal Law, Section 213-23 “License Required; Exemption for Senior Citizen Games” 28. Gambling Control Act, California Code, Chapter 5, sections 19800–19958 29. Washington v. Safeway Stores, Inc., 450 P.2d 949 (Wash. 1969) 30. ACF Wrigley Stores, Inc. v. Olsen, 102 N.W.2d 545 (Mich. 1960)

32

Denial of Service, Disasters, Reliability, Availability, and Architecture

ou’ve got to keep things running. If there is no game service, there is no game to play, no players, no money coming in, nothing to pirate, no one to cheat, and no gold to farm. If one looks at IT protection purely from a budgetary and business impact perspective, this chapter should have been first. I’ve had close encounters with two IT disasters and one near-miss during my career (so far).

Y

W HAT C AN G O W RONG , W ILL G O W RONG First, an “operational” service was “back-hoed” when my employer had a cable cut that took down a critical secure mail server. The email service was actually a prototype, but it was being used by senior executives across the federal government, so no matter what our contract said formally, we were operational. We had purchased our data lines from two separate telecommunications companies and so we thought we were safe against single points of failure. We were wrong; the connections were redundant, not independent. The two telecommunications carriers had both purchased space on a single physical cable on one segment of their connection to our site. Second, we had a contract to operate the main Internet access point for a large government department. Our building’s roof was being repaired and we had a rain storm. This would have only been a minor problem, except there was a huge amount of rain and the massive roof was flat with a single six-inch hole in the center, down which the water spun through like a whirlpool. I have never been in a building before where it was raining inside. Of course this hole was right on top of our equipment room. Water streamed down over numerous, brand new, high-end servers and networking equipment (the folks in the network operations center didn’t see, hear, or notice a thing).

335

336

Protecting Games: A Security Handbook for Game Developers and Publishers

Finally, in another rain-soaked incident some number of years ago, the alreadysaturated District of Columbia had four inches of rain in 45 minutes and the water rapidly backed up through a large portion of the city (and totally drained away 30 minutes later). Some areas of the city were six to eight feet deep in water. Our office was lucky. There is nothing like walking through six inches of water to go turn off the main power and hoping that nothing really bad is going to happen. Nothing did, or else I wouldn’t be writing this, and we lost surprisingly little IT equipment. All sorts of things can go wrong. Whatever you plan for, something else will come along that you haven’t considered. Nature will try to get you, your service providers will try to get you, your customers will try to get you, and hackers and other intentional trouble makers will try to get you. Planning for natural and manmade disasters is totally thankless before it occurs because of the “unnecessary” cost. But, it is totally necessary (whether a disaster occurs or not), even if you don’t cover every contingency. There are books on contingency planning, but a lot of the needed planning is very procedural and specific to your business. However, it is increasingly easy for online services to scale rapidly and, at the same time, reduce their vulnerability to failures. Virtualization technologies like Xen1 and VMware2 and cloud computing as well as the commoditization of data center services are good for business as well as good for security. Designing your system architecture to be deployed rapidly on leased servers or virtual services, such as Amazon’s EC23, saves money, improves scalability, and ensures availability. (As a side note, the continuing rapid evolution of server technology makes leasing hardware compelling for most applications as well as a great way to control cash flow. This is a huge change in basic IT thinking from just a few years ago.)

D ENIAL

OF

S ERVICE

Denial of service attacks can be done just “because” or with serious intent: In 2004, hackers threatened online bookmakers with a denial of service (DoS) attack during the Grand National horse race and the Super Bowl (American) football events. These blackmail attempts, assumed to be from Eastern European criminal groups, targeted the huge portion of annual sports wagers that are placed for these competitions4. Gambling sites are not the only target of denial of service attacks. In 2005, Square Enix’s Final Fantasy XI MMO was also the victim of a distributed denial of service attack5. Although some folks in the game industry may have been pleased, most of Korea’s major RMT sites suffered simultaneous denial of service attacks in early October 2007. The sites took themselves offline for several days to tighten up their security6.

Chapter 32 Denial of Service, Disasters, Reliability, Availability, and Architecture

337

It is possible to attempt to blackmail an MMO with a DoS attack, but as the services do have outages periodically, it is not clear if this would be as financially serious as it is for a sports wagering site. Any site that needs to be operational to earn revenue is a potential target—any business from ad-driven sites to online casinos. However, it is much more effective to target sites that have traffic that is highly concentrated at specific times, because the attack does not have to be sustained nearly as long to have serious impact on the victim. Sites that support rich, user-created content can be targeted by in-game denial of service attacks. Linden Lab’s Second Life has suffered a number of such attacks over the years7. However, user-created content could be used to cause denial of service and other attacks on client computers, not just at the central service, which could be potentially more damaging to the company (and its relationship with its customers). There are four types of denial of service attacks: Hardware—Attacks that result in changes to the target servers’ or associated network devices’ firmware so that they no longer operate. Network—Attacks that overwhelm the network connection to the victim’s site so that legitimate data can no longer reach the target system. Platform—Attacks that target the standard operating system and shared applications, such as the network stack, on the victim system’s computers. Application—Attacks that target the victim system’s specific application. There are an increasing number of strategies that are available to help fight denial of service attacks. Some of the simplest strategies are architecture changes. By hosting an online service at one or more major data centers, it is much more difficult for hackers to simply overwhelm the bandwidth of the site or servers. If the target system is located at a small data center, the company should work with its upstream network providers to ensure that traffic rate filtering is done to ensure that the data that comes over a smaller connection has been purged of standard DoS attack traffic (unusual concentrations of traffic from sites is often an indicator that the computer is a “zombie” and member of a botnet used to attack networks and distribute spam). It is unfortunate that there is no accountability today for ISPs to guarantee that the data they provide or pass through to their clients is clean. (Hackers will also modify the source address of data from compromised computers to hide the source of an attack. Although this is hard to detect by the victim computer, it is easy for the host ISP to detect: Any data generated from a client computer should have an ISP issued or authorized IP address.)

338

Protecting Games: A Security Handbook for Game Developers and Publishers

Defeating hardware and platform attacks is usually the responsibility of the equipment provider. Basically, the providers need to deliver systems that only allow authorized updates to the firmware to be installed and these updates can be installed only by authorized individuals. Firewalls, intrusion protection systems, and other security hardware and software tools can be used to attempt to keep denial of service attacks at bay. These products are designed to protect “generic” online services. Online games can also take advantage of their custom communications protocols to improve their security. First, because most online game services include general website and other nongame related applications, these sets of servers and services should be separated from game servers or shards (groups of game servers that work together). This will allow commercial security tools to work more effectively and have to process less data. Using a content-distribution system or web-caching service like Akamai can also reduce the risk of DoS attacks on websites. Because online game services often process very large amounts of network traffic, typical denial of service security solutions can be quite expensive (the cost for these solutions is mainly driven by the need to process volumes of network packets in real time). However, most game services have very structured network data and this can be used to their advantage. Game services can use proxy servers to ensure that only data that is formatted in the structure required by the game’s protocols gets passed on to internal servers for further processing. Because these proxies only have one purpose—to parse game messages—they can be simple, fast, and replicated easily. They may even translate a public game message format into an internal format to support logging and other security functions. Commercial “deep packet filtering” solutions can implement similar features to a game protocol proxy, but they are burdened with their need to handle a wide range of protocols. Another advantage of a good proxy server system is that it can help prevent buffer-overflow and other malformed data attacks such as that suffered by World of Warcraft in August of 20078. A simple extension to a game protocol proxy is support for a “white-list” authorization service. Because virtually all games establish a session using some sort of login service, the same login service can create a registry of IP addresses and random authentication token pairs that it provides to both the client and the game’s proxy servers: // client creates a secure session with license or login server ClientAuthorizationMessage = (SecureSessionID,AuthorizationToken); // message sent to client ClientRegistrationMessage = (IPAddress,SecureSessionID, AuthorizationToken); // message sent to the game proxies to add to their white lists

Chapter 32 Denial of Service, Disasters, Reliability, Availability, and Architecture

339

When a proxy server receives a message from an alleged client, it can rapidly validate the IP address with SecureSessionID and AuthorizationToken to determine whether it should even begin to parse the remainder of the message. This can be used to speed the rejection of data from botnets or other malicious users. A complete white-list proxy service will include the ability for the login service to de-register a session and IP address. The proxy service should also be able to do this itself if it suspects that a game client or game session has been compromised (even core game servers should be able to “black-list” a game client based on anomalous data or activities).

S CALABILITY

AND

A VAILABILITY

It is always surprising how routinely online games underestimate traffic at start up. The term “overwhelmed servers” is a routine part of the first hours, days, or weeks of far too many game services. There are ways to plan for huge surges or spikes in systems and bandwidth, but none of them is free and they take some serious effort and planning. The game industry isn’t the only one that faces this challenge: Sporting events such as the Olympics can create huge, short-term demands for hardware and bandwidth. Large traffic spikes can also be addressed through the game’s core architecture. EVE Online’s architecture allows multiple solar systems to be housed on a single server so that sparsely populated systems can share resources9. Although game servers may be costly to bring online, it is easier to support surges of license registrations for new games. License registration does not require massive amounts of data to be sent or complicated server support like an MMO. I am not privy to inside data on these cases, but I suspect many games use the same system architecture for license registration as they do for regular online game play: direct socket connections to the license servers, and so on. This is really not necessary. Game registration systems could easily use a standard HTTP POST code with a polite retry system to help handle new game traffic spikes. As a default, the server would respond with the registration key for the application, but it could also send a cached “wait 60 seconds” message to spread out requests. There are many tools to support scaling up websites, ranging from application acceleration tools to virtual servers (which provide the ability to add new servers on the fly) and cloud services (pure “cloud” applications that are not tied to individual hardware platforms), as mentioned previously. Of course, the actual license processing would be carried out on a backend database and application server behind a web server in a typical threetier architecture allowing both front end and backend servers to be added easily.

340

Protecting Games: A Security Handbook for Game Developers and Publishers

Another option for handling high-volume license registrations is to take advantage of email. After all, if a player is online, she almost certainly has an email account. The game could build a structured registration message for the game server that a player could easily paste into an email, and then cut and paste the response to the message when it is received from the game site. Just like web servers, standard email systems are built to scale well; there is no need for game developers to create new solutions when off-the-shelf answers are available.

S AMPLE G AME O PERATIONS A RCHITECTURE Any online game service is going to have a number of fairly standard major systems: The Game(s)—The actual game servers, their supporting proxy servers, databases, and other application servers. The Website—The basic website and community services. The website may also include the front-end support for ecommerce and payments. Game Operations Center—The server, network, and application management functions for the game service. The administration of the website may be included within the operations center or handled separately. Corporate IT—The back office where the game company staff do their work. Conceptually and practically, it is important to separate the day-to-day work of the staff from the actual operations of the game service. There may also be a separate duplicate or small version of the game service itself for testing and back-up purposes. Content Delivery—Many games use a mix of internal and outsourced contentdelivery systems to deliver game software and updates to players. Figure 32.1 shows one such sample game operations architecture. There are several components of an online game service that are particularly important from a security perspective: User Financial Database and Payment Processing Services—Controlling access to any resource that can be monetized is critical. The most valuable target in a game service is any database that contains user credit card or other financial information. These financial and payment systems should be physically separated, if at all possible, and their electronic interfaces closely controlled. If a game has valuable virtual assets, especially with a potential for gold farming, the database that contains those assets should be handled with a level of care similar to that used for a financial system. In addition, financial and payment systems should be carefully controlled and all actions logged.

Chapter 32 Denial of Service, Disasters, Reliability, Availability, and Architecture

341

FIGURE 32.1 Sample game operations architecture

User Account System—Any information about players should be carefully protected. Even though the US does not have strong privacy laws, other countries do and protections like the previously discussed California Data Disclosure law can make any error costly (see Chapter 29). If these systems do not need to be easily available in real time online, restrict access to them as much as possible. If there is data that does not need to be retained or collected, don’t collect it. Data that doesn’t exist can’t be compromised. Logging Systems—Although not shown in Figure 32.1, it is critically important to make logging and analysis systems for all part of the online game service as independent, thorough, and reliable as possible. There is no accountability without history. Logging is not sufficient; it is crucial to build tools to facilitate the analysis of all logs as well as include alerts, metrics, and statistical information for critical logged events. Player Systems—It is actually possible to use the player’s systems as part of the overall reliability, availability, and security of the overall game service. Although player computers may be in “untrusted” and “untrustworthy” hands, they are also very independent of the core game servers. Traditional IT infrastructure and management systems are not often considered part of a game service. However, it is important to think of the whole company as an integrated system—including external entities and interfaces like payment

342

Protecting Games: A Security Handbook for Game Developers and Publishers

processors and outsourced services. All of these components must work together to provide a reliable service. Unplanned interactions between these components can be the source of problems: In late 2007, CCP Games took EVE Online offline due to a suspected security breach10. There was some discussion that the attack originated via a key-logger on a regular office IT computer that had been hacked. True or not, understanding the actual interaction between system components and the activities of individual employees, partners, and players is critical for security success.

D ISASTERS

AND

D ISASTER R ECOVERY

There are many, many circumstances that can knock a system offline. Fires, rain, floods, earthquakes, hardware failures, power outages, vendor problems… the list goes on and on. As I noted at the beginning of this chapter, it is impossible to plan for everything. In December of 2006, Valve Software’s Steam online service was knocked offline by a major storm in the Pacific Northwest11. Sony Online Entertainment, having experienced a number of wildfires in San Diego, was able to keep the game running during a major fire in October 2007, but with minimal technical and customer support12. Perhaps the easiest way to avoid catastrophic failures is to build a truly distributed system. Multiple sites with independent service providers can handle disasters more easily simply because all of the locations in a well-designed distributed system are unlikely to be vulnerable to a single disaster. Because of their experience with hurricanes, many organizations with headquarters in the Southeastern part of the US have moved aggressively to be able to deal with a disaster that can knock out a large region13. More modest failures can still cause serious problems. Outages at individual servers or databases can lose valuable data. A Singapore MapleStory server failed and lost hours of play for several thousand players14. Many games include a substantial game client. This system could conceivably be used as part of a backup and recovery strategy by storing critical game data on player computers. Note that it is not necessary to store a specific player’s data on her own computer and the data obviously needs to be stored in a manner that the player cannot modify (or even read) the encrypted, signed player data.

C ONTINGENCY P LANNING Online games are first and foremost services: Their value and revenue comes from being available to customers. Outages can lead to customer dissatisfaction and abandonment. Design choices can make a game more or less vulnerable to disasters

Chapter 32 Denial of Service, Disasters, Reliability, Availability, and Architecture

343

and substantially affect the cost of ensuring service availability. Often online services will provide “free” time to compensate for outages to protect their relationship with their customers. This “free” time is far from free for the game provider. Employee salaries were still paid while the service was down and other expenses were incurred. The “free” time itself costs additional potential revenue. This is not to say that companies should not offer customers compensation, but avoiding the need to incur such expenses should be part of the game service’s business plan. Planning for contingencies must not be a paper exercise. It should not result in PowerPoint presentations and unread binders sitting on shelves. Actively working to avoid costly outages is usually a better business strategy than just recovering from failures when they occur.

R EFERENCES 1. Xen (2008), “Xen,” http://www.xen.org/ 2. VMware (2008),”VMware,” http://www.vmware.com/ 3. Amazon (2008), “Amazon Elastic Compute Cloud (Amazon EC2),” http://aws.amazon.com/ec2/ 4. Evening Times (2004), “Blackmail Threat to Net Bookies,” http://playnoevil.com/serendipity/index.php?/archives/7-Blackmailers-Threaten-Denial-of-ServiceAttack-Against-Net-Bookmakers-February-2004.html (article no longer available from the Evening Times) 5. W. Knight (2005), “Attack on Game Raises Prospect of Online Extortion,” http://www.newscientist.com/article.ns?id=dn7293 6. Chosun Ilbo (2007), “Hackers Threaten Cyber Money Sites,” http://english.chosun.com/w21data/html/news/200710/200710100013.html 7. T. Walsh (2006), “Rogue Lily Disrupts ‘Second Life’ Service,” http://www.secretlair.com/index.php?/clickableculture/entry/rogue_lily_disrupts_second_life_service/ 8. A. Modine (2007), “World of Warcraft Exploit PKs Servers,” http://www.theregister.co.uk/2007/08/27/wow_exploit_crashes_servers/ 9. B. Drain (2008), “EVE Evolved: EVE Online’s Server Model,” http://www.massively.com/2008/09/28/eve-evolved-eve-onlines-server-model/ 10. N. Breckon (2007), “EVE Online Database Security Breach Leads to Downtime of Game, Website,” http://www.shacknews.com/onearticle.x/49539 11. McWhertor (2006), “God Hates Steam, Too,” http://kotaku.com/gaming/god/god-hates-steam-too-222329.php 12. Sony (2007), “SOE Support Services Suspended During Emergency,” http://forums.station.sony.com/vg/posts/list.m?topic_id=21161 13. FDIC (2008), “Lessons Learned from Hurricane Katrina: Preparing Your Institution for a Catastrophic Event,” http://www.fdic.gov/regulations/resources/lessons/index.html 14. A. Siew (2007), “Server Glitch Loses Gamers Points, Virtual Cash,” http://www.sgforums.com/forums/1720/topics/294434

33

Scams and Law Enforcement

“You can’t cheat an honest man; never give a sucker an even break, or smarten up a chump.” —W.C. Fields1 veryone is looking for an edge, some sort of advantage to get ahead of everyone else. One of the things that breeds cynicism in security professionals is the constant reminders of how reliably corruptible virtually everybody is. Another group of avid students of human frailty are con artists.

E

In general, there are two types of scams that target online games. The most common scams offer players an advantage in a game: some sort of cheat or aid that makes the game easier for them than it is for everyone else. Sometimes the scammers offer a cheat tool that works but also has some “extra features,” such as a keylogger or some malicious software. Other cheat-aid scams are more brazen. They offer a fake cheat; something that the scammers can show on YouTube or offer for sale (or even for free) on a website. The second type of scam is pretty new for online games. It is a Ponzi scheme or pyramid scam that uses a game as the “front business” to conceal the fraud. In some sense, this is flattering to the game industry: Games are widely seen as a “hot new business” and con artists are using them to pull in unsuspecting individuals looking to cash in on the industry’s popularity. Games and other online services are facing a range of criminal activities, including scams and fraud. It is important to understand how your game company should work with law enforcement. Game companies may seek out the help of law enforcement for recourse after a crime, but game companies can also be contacted by law enforcement to support an existing criminal investigation. Companies need to be cautious because sometimes law enforcement officials make inappropriate requests that may put a business in legal jeopardy as well as endangering the company itself.

344

Chapter 33 Scams and Law Enforcement

S CAMS

IN

345

G AMES

The competition between players that underlies most games makes finding “suckers” for scams pretty easy. The same passion about a game that leads some people to play 20 hours or more per week also brings out some people’s desperate need to get ahead. The scammers are there to fulfill that need to win at any cost. Sometimes, the tools are pretty innocuous. In 2006, a crooked inside developer turned a legitimate poker tool that tracked the “rake” (the commission on each hand) collected by online poker sites into a piece of malware that also installed four tools that collected username and password information from the poker players and sent it over the Internet to the criminals2. In 2008, a company released a tool for EVE Online that was supposed to automatically queue up skills for players so that they would not have to log in at odd hours, which also happened to include a Trojan program that stole passwords3. What is interesting about both of these tools is that the game developers themselves could easily have provided these features in the basic game application: It would be a simple courtesy for a poker site to provide tracking information about its own fees. In fact, the reason players want tools like this is that they suspect that the game site is cheating them on the rake. For EVE Online, there is no real reason that the game itself should not allow players to queue up skills to be trained. (EVE Online is unique in the MMO genre in that players earn skills based on elapsed, calendar time, not based on game play activities.) Today, players have to be online to change from one skill to another—an inconvenience that doesn’t help game play and that opened the door for this malicious tool. Many games ban most or all third-party tools, but in some sense this is futile. Because players control their own computers, they will always find a way to run independent tools (see the discussion of bots in Chapter 15). As noted in the earlier discussion, it probably makes more sense to design the game so that such tools are either unnecessary or can be used legally. If there are tools, it would be better for the game and for players if they could buy the tools from the game company who can certify their features, not to mention capture some revenue by running a tool store. Fake hacks are particularly troubling for games. Scammers who create fake hacks don’t need to create a real hack or tool for a game; they offer a way to get more of whatever the game values (additional money, experience, items, and so on) by providing some instructions that include giving the scammers the player’s username and password (and sometimes even credit card). Someone, scammer or not, it doesn’t matter, submitted an alleged “hack” against Sulake’s Habbo Hotel virtual world to my blog4. The hack demonstrated in a YouTube video how to give a player tons of furniture and items. Actually, the

346

Protecting Games: A Security Handbook for Game Developers and Publishers

hacker used a memory editor to add items to the inventory in the player’s game client application. This worked because the art assets for all of the items are included in the game client on the player’s computer. Virtually all online games work in a similar manner and are vulnerable to the same “attack.” To most players, the attack looks valid since it is using the actual game client and art assets. However, these changes are purely local to the player’s PC and do not actually alter the information in the game’s database. The videos have since been removed, apparently at the request of the game’s publisher. YouTube poses a particular risk for game companies. Whenever a game company contacts me to consult on a game, the first place I look for attacks is on YouTube. Often, I find some pretty entertaining exploits. However, there are fake hacks mixed in with the real ones. The key clue to identifying the fake hacks is the request to go visit the scammer’s website and enter your username and password, install some software, or buy a tool. Game companies need to constantly keep up with these videos and contact YouTube to take them down. Third-party sites can also house scams. These sites are run by fans, and occasionally scammers, for games. In general, third-party sites are great for a game. Player-run forums, blogs, social networks, and other communities are evidence of a game’s popularity and are mostly beneficial. However, the low level of technical skill of many of these fan sites makes them good places to launch an attack against a game—either direct malicious code attacks or as a means to advertise “fake hacks” and other malicious tools. Both of the malicious tools mentioned previously were downloadable through otherwise legitimate game community sites or found on YouTube. Simply setting up a fraudulent fan or community site for a game is not usually sufficient to cause real problems for the game company. Game community sites take a lot of effort and are really a labor of love by the players who create them. IGE, known for its involvement in the gold-farming and gold-selling businesses for World of Warcraft, notoriously bought two very popular WOW community sites: Allakhazam5 and WowHead.com6. Gold frauders and power-leveling firms (see Chapter 22) can take their business a step further by using their interactions with game players to scam them as well. The players who use gold farming and powerleveling services have little recourse, as they are already cheating at the game. Game companies can do little to directly protect themselves from scammers who use third-party sites to target their games. Even though the game company and game are blameless, these scams can be costly from a customer service perspective when players complain about looted accounts, viruses, and other security problems.

Chapter 33 Scams and Law Enforcement

347

One tactic that may make life difficult for scammers is to sponsor “official affiliate” community sites that have access to game art assets, animations, and affiliate revenues in return for following a code of conduct. The sites could perhaps even allow the game company to scan the fan site for malicious code and downloads. Another tactic that was mentioned previously is the notion of bundling a good security tool suite with the game client.

G AME S CAMS There are two main categories of game scams: (1) scam business models that target affiliates and partners and (2) crooked game operations. Game business models that are scams are a relatively new problem and I have yet to see a case go to trial, although I have seen several suspicious games. The closest example was an FTC move to shut down the online music service BurnLounge7. Most of the scam business models are variations on pyramid schemes or Ponzi schemes. These business models basically “rob Peter to pay Paul.” Later entrants’ fees fund the earlier participants, who are continually encouraged to recruit others. The typical clue that a game business model is not legitimate is that it has a very complicated payment structure8. However, it could be quite interesting to see a game company legitimately use a multi-level marketing business model; even affiliate revenue-sharing services are not supported all that widely in the game industry. If used more widely, affiliates, channels, and MLM programs could deter game scams by giving fan sites a legitimate revenue stream to reward their efforts. Crooked game operations have mainly been a problem for online gambling, although the problem could also affect skill games, online lotteries, bingo, and contests with an entrance fee. These crooked games either rig the game so that no legitimate player wins or they simply refuse to pay out and take the players’ money and disappear. One of the consequences of attempts at prohibiting online gambling is that even game companies that desire legitimacy have been unable to be licensed in major jurisdictions. (This may be changing in many countries in Europe as of 2008.) Lacking strong government licensing regimes, industry groups will need to self-regulate and self-certify. Skill games could be a prime target for scams, as there is a general weakness and lack of uniformity of regulation for the industry (this is also true for other “not gambling, but games for money” businesses).

348

Protecting Games: A Security Handbook for Game Developers and Publishers

L AW E NFORCEMENT

with J. Price Game companies may need to contact law enforcement to handle a security breach or in case of fraud; or they may be contacted by law enforcement in support of an investigation. The topics of how to collect, retain, and preserve data that may be needed for evidence are far beyond the scope of this book, but an online service’s leadership, IT staff, engineering team, and legal counsel should consider these issues carefully throughout their design and development process. Most operators of online games and other online services will eventually receive a request from law enforcement asking for information about an end user. When a state or federal law enforcement officer presents a subpoena, court order, or some other “authorization,” the game operator should not panic. These are typically routine events, and should be processed professionally and efficiently. First, have a plan in advance. Designate someone in the company to receive and interact with law enforcement. When the request comes in, be sure it is immediately forwarded to the designated person. That person must decide whether the request is valid and is what it purports to be or escalate matters further to management or legal counsel. Ideally, legal counsel can assist to make the determination whether the request is valid and provide guidelines that game company staff can use for most situations. After the game company has seen a number of requests, counsel should only be necessary for the “odd-looking” ones because company personnel will develop a feel for what are legitimate and illegitimate requests. It is important to note that if the request is obviously illegitimate, the company may be held liable for turning over the requested information. Generally speaking, however, there is immunity for a good faith reliance on law enforcement. But the immunity does not extend to all situations, and caution is warranted as seen by the recent lawsuits against U.S. telecommunications firms for their involvement in the government’s “warrantless wiretapping” program9. The designated person may delegate tasks where appropriate. However, law enforcement might require tight secrecy in some instances, which will limit who in the company can know about or assist with supporting the activity. If there is any doubt about who can know about the request, ask the law enforcement agent. In most instances the request will include explicit instruction and leave little confusion, but do not hesitate to clarify any concerns with the agent. After accepting the request and establishing that it is valid, the person designated to assist law enforcement should consult the relevant staff to determine whether the information being requested (1) is available and (2) can be provided to

Chapter 33 Scams and Law Enforcement

349

law enforcement within the period of time allotted in the request. If the request is legitimate and the information is available, you should fulfill law enforcement’s expectation. If the request appears legitimate and the information is available, but the company simply cannot meet the deadline, the company has recourse to protect itself. You may consider making the law enforcement agent who served the request aware of any difficulties that you have, as the agents are in a position to alter the request and avoid a confrontation in court. Courts can receive challenges to law enforcement requests and alter the request to make it more manageable or provide other relief. It is important to ask the law enforcement agent about reimbursement procedures for their agency. You may be able to have costs you incur when responding to a law enforcement request reimbursed. The federal government and most states permit a responding person or entity to be reimbursed for their time and associated expenses such as overnight mailings. The reimbursement might not cover all costs, but it can help, especially if you receive numerous requests. Another good practice is to keep the law enforcement request and any related material in a safe, secure location (unless law enforcement forbids the record retention for security reasons). Keep these records after you have complied with the request. If any issue arises later, you will be able to refer back to the records.

F ACILITIES R EQUIREMENTS : P OTENTIAL U NEXPECTED L AWS

AND

R EGULATIONS

with J. Price Game services are not just providing games. They provide a range of network and communications services that may impose requirements to support law enforcement. Depending upon the game’s infrastructure, game designers may need to comply with various laws. For example, if a game operator provides voice service, it may have legal and regulatory obligations under the Federal Communications Commission’s (FCC) Communications Act. But its obligations will depend upon how the service is provided and whether a different service provider is responsible for legal and regulatory compliance. If the operator provides its own network facilities or provides broadband Internet access, the Communications Assistance for Law Enforcement Act (CALEA) should be reviewed. CALEA requires that the operator include specific security features within the network. It also requires the service provider to file “System Security and Integrity Plans” with the FCC and adhere to those plans within the company.

350

Protecting Games: A Security Handbook for Game Developers and Publishers

A number of other regulations might also apply, including taxes and tariffs and “Universal Service” obligations, just to name a few. It is recommended that you take a careful look at the legal obligations that might come with any expansion of services, or before you implement a unique business strategy that may impose regulatory requirements. Also, be very aware of the obligations that come along with services being provided by third parties. A contract with another company can leave you with unexpected legal obligations. You might assume that the third-party service provider is responsible for compliance with the assorted regulatory obligations that are associated with the service and, therefore, you do not have related legal exposure. Most service providers, however, go to great lengths to avoid regulatory obligations, and the details of the service agreement contract might shift the burden to you. You do not have to accept the “standard” contract that another party offers. Negotiate. One place in the contract to study carefully is the “indemnification” section, which explains how and when you must protect someone other than yourself. Some third-party contractors try to avoid any responsibility and, when an issue arises, leave the obligation to you. It is usually reasonable to indemnify against issues you may cause the service provider, but they should stand by their product and handle expected as well as unexpected issues and expenses related to providing the service. Also, as always, be careful who is responsible for costs and taxes related to the service. Be sure these terms are defined broadly and do not come back to haunt you.

R EFERENCES 1. W.C. Fields (1939), “You Can’t Cheat an Honest Man,” http://www.imdb.com/title/tt0032152/quotes 2. F-Secure (2006), “How’s Your Poker Face?,” http://www.f-secure.com/weblog/archives/archive-052006.html#00000878 3. J. Egan (2008), “EVE Online Trojan Warning,” http://www.massively.com/2008/09/27/eve-online-trojan-warning/ 4. S. Davis (2007), “Demonstrating Real Game Hacks vs. Fake Game Hacks: Fake Cheats Attack Sulake’s Habbo Hotel,” http://playnoevil.com/serendipity/index.php?/archives/1243-Demonstrating-Real-GameHacks-vs.-Fake-Game-Hacks-Fake-Cheats-Attack-Sulakes-Habbo-Hotel.html 5. L. Smith (2006), “Gold Farmers Buy Allakhazam,” http://www.1up.com/do/newsStory?cId=3150282 6. Emma_UK (2007), “WOW Fansite Sells for Reported $1 Million,” http://www.gamespot.com/news/show_blog_entry.php?topic_id=25727087 7. G. Gross (2007), “FTC Asks Court to Shut Down Digital Music ‘Scheme’,” http://www.pcworld.com/article/132857/ftc_asks_court_to_shut_down_digital_music_scheme.html 8. S. Davis (2007), “Multilevel Marketing for Games? And a Bit of Info on Pyramid Schemes,” http://playnoevil.com/serendipity/index.php?/archives/1310-Multilevel-Marketing-for-Games-And-aBit-of-Info-on-Pyramid-Schemes.html 9. J. Leydon (2007), “AT&T Sued Over NSA Warrantless Wiretapping,” http://www.theregister.co.uk/2006/02/01/atandt_wiretap_assistance_suit/

34

Operations, Incidents, and Incident Response

perations is where “the rubber hits the road.” It is also where security pays off or fails. Security becomes real when technology is combined with business operations to actually do something. If users and operators circumvent security because it is too complicated or too expensive or too time consuming, it is a failure of the security team, not the users. It is appalling to read professionals in the security industry talking about PEBKAC— the problem exists between keyboard and chair—the user, in other words1. Security is, at its core, as much about human behavior as it is about technology.

O

There are some in the security industry who’ve taken the adage “the best defense is a good offense” to heart. Instead of being content with protecting their games or other online services from the “bad guys,” they’ve decided to turn around and wage war on their foes. Some of these techniques are very self-contained, but others are more aggressive and expose their users to legal and business risks. It is almost inevitable that security systems will fail. Good security systems are designed to fail gracefully and recover quickly. Unfortunately, many developers neglect to plan for failure. Some of the worst security incidents are the result of failure to consider the possibility of the system’s failure. Such systems tend to collapse catastrophically and sometimes can never recover. One of the worst characteristics of many public key cryptography systems is that their compromise recovery systems (compromised key lists and certificate revocation lists) are terribly awkward and inefficient. Games are a particularly public business. When things go wrong, they are highly visible and widely commented on. Part of protecting the integrity of the game and game company is planning for public relations problems, especially when responding to security incidents. Although almost everyone would prefer that security incidents don’t happen, effective preparation and a well-handled response can sometimes turn a security incident into a marketing and branding benefit.

351

352

Protecting Games: A Security Handbook for Game Developers and Publishers

S ECURE O PERATIONS There is a lot more to security than just good technology. One common delusion is that security systems need to be invisible to users. In fact, the most familiar security system of all, standard keys for cars and homes, are highly visible and somewhat inconvenient. From an operational perspective, they work pretty well. People lock doors (most of the time) and crooks need to find another way in. It is also fairly obvious that people don’t lose keys too often, but they can “recover” from the loss or compromise of a door or car key pretty quickly. Games and other online services are defined by their interfaces and procedures. It is unfortunate, but good human-machine interface (HMI) design does not seem to be part of the security discipline. This is regrettable, as psychology and ergonomics probably have a huge impact on the actual secure operation of systems. There are two equally important interfaces that need to be considered to operate a game securely: that of the game company’s operational staff (live team, system administrators, customer support staff, security staff, and so on) and, of course, the players. One of the benefits of using a physical security token is that people are used to protecting hardware keys. Blizzard’s authentication token will provide most of its security benefits just because it is a physical key—the details of its cryptography and any anti-tamper or other design features probably hardly matter. Similarly, because people protect their cell phones as valued items, the Asian games that use a cell phone challenge-response system are likely to be quite effective and secure (see Chapter 29). Successful, secure operations are usually invisible. Often, so are unsuccessful ones. One of the rare instances of a game having problems with its internal security operations has been a series of account thefts at Xbox Live. Hackers have been able to use “social engineering” to access other player accounts. First, there is a basic weakness in the Xbox Live system—player’s publicly known Gamertags are also their account names. This aids attacks by making it easier to hack accounts directly (by guessing passwords and so on) and makes it much easier to convince customer support to disclose or reset a player’s password. …(W)hen I first heard about the “Xbox Live network hacked” story, I checked with the people on our end, and then posted about it. As originally posted, Xbox Live has not been hacked. That is still true. A security researcher, Kevin Finisterre, discovered not a hack, but the fact that some accounts may have been compromised as a result of “social engineering,” also known as pre-texting, through our support center. Kevin gave me a call directly and once I realized what he was talking about (he sent me some painful-to-listen-to audio files), I confirmed that the team is fully aware of this issue. They are examining the

Chapter 34 Operations, Incidents, and Incident Response

353

policies, and have already begun re-training the support staff and partners to help make sure we reduce this type of social engineering attack. —Major Nelson (Larry Hryb, Xbox Live Director of Programming)2 From an operational security perspective, the statement “Xbox Live has not been hacked. That is still true.” may be true, but it is also is fairly meaningless. It is clear that the security of the system was compromised whether through technical measures or procedural gaffes. Even worse, it appears that the problem was not resolved. Although the first incident was made public in March 2007, in September 2008 these incidents seem to be continuing—in the latest case, a senior employee of Bungie from the Halo 3 team’s Xbox Live account was among those compromised3. What is frustrating is that the system’s security could probably be improved fairly easily (although there certainly may be internal constraints on the system that I am unaware of): Xbox Live accounts are, at least partially, tied to a specific console. Microsoft could use that console’s ID number to authenticate the user by having the user tell the customer service rep the number. Microsoft could also use any credit card information associated with the account owner to authenticate users. This could be done through the console so that the customer service rep is not told the card number. Depending on the account details, authenticating another credit card to confirm the player’s address could work as well. Microsoft could send an email to another email account owned by the user that had been established previously as the “emergency notification account” (or a phone number or an SMS message or even regular mail). Microsoft could use the official Xbox console to send a challenge message to a user (similar to the phone systems used by Korean game companies discussed previously). Of course, the best solution would be to break the link between the Gamertag and the user ID. The fact that everyone knows your user ID on Xbox Live makes the attack much easier. As to the customer service system, it really shouldn’t “unlock” the account, even for the customer service rep, until the user has passed an official, authenticating challenge. The Xbox Live scenario is only an example. The essential key is to design operational procedures and user interfaces, not just technology and systems, to help players and company staff operate in a secure manner. There is no security without people.

354

Protecting Games: A Security Handbook for Game Developers and Publishers

A CTIVE M EASURES Some companies have gone beyond simply defending themselves; they are attacking their foes. Although “information warfare” may sound exciting and tempting, anyone who is not in government is likely putting themselves and their business in legal peril. Any time a game or other application has an effect beyond the application itself, there are opportunities for trouble. The Starforce DRM tool was controversial because it affected the use of DVD drives for other applications than just the game it was intended to protect (see Chapter 5). The Sony BMG Rootkit could be used for other purposes besides defending a specific song from copying and had the potential to open the computer up to external attack. Online applications are even more risky. Customers have legitimate concerns about their personal privacy and integrity of their computers. Blizzard’s Warden anti-cheating tool, and some other similar products, captures information about the player’s computer’s processes and even some screen data from the player’s computer. From a user perspective, there is little difference between a key-logger installed by a hacker and one provided as part of the latest game. The potential for serious abuse by these applications is a real concern from a public relations and marketing perspective, if nothing else. The Motion Picture Association of America (MPAA) and Recording Industry Association of America (RIAA) have adopted active measures against media piracy (see Chapter 9). It is unclear whether these activities have been effective in fighting piracy. What is clear is that some of these techniques have backfired. MediaDefender launched a denial of service attack against a legitimate firm that uses peer-to-peer distribution services. This action resulted in an FBI investigation as a potential violation of computer security laws4. More broadly, the RIAA and MPAA have been getting less sympathy in court and no sympathy from the general public for their strong-arm tactics. The potential for civil and criminal actions (not to mention terrible public relations) from active security measures should make them a tactic of last resort, if active measures are even to be considered at all. If you would ever be concerned that there was a newspaper story describing your active measures, you probably should choose an alternative strategy.

I NCIDENTS

AND

I NCIDENT R ESPONSE

Earthquakes, fires, theft, data loss, hackers, or other disasters or security incidents happen regularly to companies everywhere. It is impossible to plan for every variation, but it is more than prudent to have an overall plan for the major types

Chapter 34 Operations, Incidents, and Incident Response

355

of incidents that you may face. Level Up, an MMO operator in the Philippines, uncovered currency duplication cheating in the game RF Online that caused massive, 500 percent inflation in the game’s economy5. The company had hoped to identify the cheaters and remove them and their ill-gotten gains from the game. However, they found that the entire game economy had been corrupted because of the massive influx of illegally created game currency. Instead, the Level Up team rolled back the server and gave bonuses to all players to compensate for their losses (and worked with the game’s developer to fix the game’s software). The key is to have well-established procedures. After running EVE Online for several years, CCP Games had a mature process for dealing with potential security incidents. In October 2007, employees identified an anomaly in the game’s database that indicated a potential exploit6. Standard procedures were followed and an assessment was made by an internal team. They decided to take the game offline within two hours of initially identifying the exploit because of the potential risk. CCP had expected to be offline for two hours, but it took ten hours to fully reconstitute the game’s security and safely restore service. Because CCP Games had an orderly process for handling general security incidents, they were able to rapidly contain the problem, repair the service, and keep their customers informed. The following activities should be included in an incident response and recovery process: Alert—Online services need to include sufficient internal telemetry and monitoring systems so that it is possible to know if something is going awry. In addition to technical systems, skilled operators are essential. A good operator should be able to “sense” an anomaly and be able to clearly communicate the problem to management. Escalate and Act—Once a human or technical system has identified that an incident has occurred or is in process, management needs to be notified so that they can bring together the resources necessary to respond. This should include appropriate technical staff, but also business, public relations, customer support, marketing, legal, operations, and any other group that may be necessary to actually handle the incident, work with customers, and address impacts to the business. Identify and Assess—The designated team needs to determine the actual nature of the underlying problem that triggered the incident as well as assess the severity and scope of the problem. The team needs to develop strategies to address the problem itself as well as limit the impact of the incident on the company’s operations. In addition, the team will form a communications strategy to protect the company’s relationship with its customers and handle any media inquiries.

356

Protecting Games: A Security Handbook for Game Developers and Publishers

Contain—Once the underlying problem has been identified, the team will implement a containment strategy. This can include doing nothing and accepting the (limited) impact of the compromise; disabling certain functions, features, or servers; restricting access by certain users; or shutting down all or a portion of a service. Communicate—Some level of customer communications is critical to managing an incident. There needs to be a solid communication strategy operating in parallel with all of the other incident response activities. This may extend beyond the actual problem to deal with rumors and speculation by customers and the media. The goal is to keep customers and the public informed and confident in the company. One important communications element is not to lie. Most likely, any lie will be found out and it will undermine all future communications by the company during this incident or any that occur in the future. Repair and Recover—Once the problem has been contained, the incident response team should fully analyze the situation and develop an actual repair or work-around. There is a balance between rapidly reestablishing service and repairing the problem. This may not be a single-step process. It is also possible that service may not be fully restored to the state prior to the incident if the problem is severe enough. Review and Revise—After the system has been fully restored, the company should review its incident response procedures as well as its overall operations to determine whether there are related weaknesses that could lead to additional incidents. Operations, technical systems, and the incident response process should be updated based on this close-out review. The company may also issue compensation, incentives, or freebies to players in accordance with the impact of the incident. There is something to the notion that one’s true character is revealed through adversity. How we respond to security incidents and other crises can have an important effect on how we are perceived by our customers, partners, and employees. Although it is best to be able to avoid such incidents, a modest level of planning can be the difference between humiliation and increased respect.

P UBLIC R ELATIONS

AND THE

P ERCEPTION

OF

S ECURITY

Perfect security is not possible. One of the keys to effective security is trust. It is important that customers, partners, and employees believe that your system is secure, that you care about hackers, that there is no cheating or abuse, or, if there is, you are actively doing something about it. Because of this, good public relations is important to your security.

Chapter 34 Operations, Incidents, and Incident Response

357

Balancing public relations and security is not necessarily easy or obvious. For a long time, Blizzard provided regular reports on the number of players that had been banned for cheating or gold farming. This was done to give players confidence that the company cared about the problem and was doing something about it. Square Enix provides regular, monthly reports on the state of security in the game7 and other companies make periodic announcements about exploiters caught, gold seized, and other security news8. Interestingly, however, Blizzard has stopped providing nearly as many announcements about gold farming due, in part I believe, to a concern that the announcements were acting as an advertisement for the potential lucrative opportunity from gold farming instead of working as a deterrent9. The worst thing for a game company, or any other business for that matter, is for security to overshadow the business. Electronic Arts launched the game Spore to much fanfare. However, the game’s digital rights management system became almost more of a story in the media than the game itself10. Although the game appears to be a substantial hit, the large number of negative stories about its security system probably cost the game many sales. One has to wonder if there were more sales lost due to bad public relations from the security tool than sales added by the anti-piracy product. A good PR campaign can actually solve some security problems. CCP Games faced a huge trust issue in the wake of a scandal where company employees were cheating in the game for their teammates’ benefit11. The company’s initial response created a serious perception problem in the player community. When CCP realized that players’ trust in the game was being undermined, they took action. They created a Director of Internal Affairs12, but, more significantly, began a move towards creating a process for incorporating players into the process of running the game13. The Council of Stellar Management has become a story in and of itself, including getting positive coverage for EVE Online in The New York Times14 and elsewhere. Completely false stories can also be damaging. ArenaNet was falsely charged, by a disgruntled former employee, with aiding gold farmers and other abuses15. It took a year for the miscreant to confess, but ArenaNet still had to deal with the incident. The challenge for any consumer business is to avoid even the appearance of impropriety and be as transparent as possible to protect your players’ trust and your company’s reputation. From a security perspective, public relations is important for maintaining the trust and reputation of the game or online service. It is the very last part of the mesh of technical measures, operational procedures, and good customer care. Security and public communications is a balancing act. It is important to instill trust in current and potential customers, but it is foolish to unnecessarily provoke hackers and criminals.

358

Protecting Games: A Security Handbook for Game Developers and Publishers

R EFERENCES 1. E. Bangeman (2007), “Study: PEBKAC Still a Serious Problem When it Comes to PC Security,” http://arstechnica.com/news.ars/post/20071001-study-pebkac-still-a-serious-problem-when-it-comes-topc-security.html 2. M. Nelson (2007), “Xbox Live Security Update,” http://majornelson.com/archive/2007/03/23/xbox-live-security-update.aspx 3. P. Klepek (2008), “Reports of Hacked Xbox Live Accounts Stir Concerns Over Gamers’ Security,” http://www.mtv.com/news/articles/1593637/20080827/id_0.jhtml 4. D. Kravetz (2008), “MediaDefender Defends Revision3 SYN Attack,” http://blog.wired.com/27bstroke6/2008/05/mediadefender-d.html?cid=117123750 5. GM T (2008), “RF Online Philippines Rollback,” http://gmtristan.com/rf-online-philippines-rollback/ 6. CCP Games (2007), “EVE Online Service Restored after Unexpected Downtime,” http://www.eve-online.com/news/newsOfEve.asp?newsID=464 7. Square Enix (2008), “Accounts Banned (Mar. 25),” http://www.playonline.com/ff11us/polnews/news12898.shtml 8. J. Wood (2006), “Cheaters Never Prosper!,” http://www.mmorpg.com/gamelist.cfm?loadnews=4798&fp=1280%2C800%2C2041228203%2C2006031 4180812&bhcp=1 9. S. Davis (2007), “World of Warcraft Bans 100,000 Accounts in March, And Doesn’t Tell Me!,” http://www.playnoevil.com/serendipity/index.php?/archives/1237-World-of-Warcraft-bans-100,000accounts-in-March-And-doesnt-tell-me!.html 10. A. Greenberg, M. Irwin (2008), “Spore’s Piracy Problem,” http://www.forbes.com/2008/09/12/spore-drm-piracy-tech-security-cx_ag_mji_0912spore.html 11. J. Blancato (2007), “Jumpgate: EVE’s Devs and the Friends They Keep,” http://www.escapistmagazine.com/articles/view/editorials/op-ed/847-Jumpgate-EVE-s-Devs-and-theFriends-They-Keep 12. CCP Games (2007), “CCP’s Director of Internal Affairs: An Introduction,” http://myeve.eve-online.com/devblog.asp?a=blog&bid=429 13. S. Schiesel (2008), “In a Virtual Universe, the Politics Turn Real,” http://www.nytimes.com/2007/06/07/arts/07eve.html?_r=2&adxnnl=1&oref=slogin&adxnnlx=11812321 01-fdpr4iZw9pveXa3MfyOw5A&oref=slogin 14. S. Schiesel (2008), “Face to Face: A Council of Online Gamers,” http://www.nytimes.com/2008/06/28/arts/television/28eve.html 15. S. Schuster (2008) “Disgruntled ArenaNet Employee Blogger Finally Admits it Was a Hoax,” http://www.massively.com/2008/09/12/disgruntled-arenanet-employee-blogger-finally-admits-it-was-a/

35

Terrorists

t was inevitable. Take terrorism, the bête noire of early 21st century Western society, and virtual worlds, where science fiction and reality are allegedly colliding, and put them together for a buzzword or a headline. When I first saw stories about “virtual worlds” and “terrorists,” I laughed1. The idea has somehow gained traction, however, most recently with a Pentagon analyst proposing that terrorists could use World of Warcraft to plot attacks on the US2. I realized we have entered the Theater of the Absurd.

I

V IRTUAL T ERRORISM Could terrorists use virtual worlds to hatch their nefarious plots? Of course. They could also meet in Starbucks, talk on the phone, use Skype or other VoIP technologies, or any one of the vast number of communications services that help and bedevil us all today. Would they? Who knows. Comparatively speaking, there doesn’t seem to be much advantage in doing so. Because most virtual worlds require some sort of payment and registration, they seem less appealing than the many social networks, blogs, IRC channels, or simple web forums that are available for free with the only registration being some sort of email address, if that. There have been four main “attack vectors” associated with terrorists and virtual worlds: Propaganda—Using virtual worlds to disseminate propaganda. It certainly would be possible for a terrorist to do something in many virtual worlds to press their agenda. However, the audience for virtual worlds is quite small. It would seem much easier to create a YouTube video or story that would be more likely to catch the public’s attention. One of the arguments within the online game development community is about the use of downloadable clients versus “no-download” tools like Flash. In general, the easier it is for an audience to see your story, the better, and requiring downloads definitely reduces your potential audience. 359

360

Protecting Games: A Security Handbook for Game Developers and Publishers

Training—3D environments are used by many organizations for training purposes, including the military. Some have argued that open virtual worlds could be used by terrorists to prepare an attack. The low fidelity of most commercial, for-fun, virtual worlds tends to make them not very suitable for this purpose. Also, because most of these environments are public, terrorist plotters could face their plans being uncovered by wandering players or a nosy system administrator. Standalone first person shooters could potentially be more useful. They support private servers, are optimized for combat simulation, and have a wide range of map editors and tools available for free or low cost that can accurately duplicate most potential “targets.” Ironically, the Chinese Military is apparently using one such game, Counter Strike, for training3. If one worries about such matters, the simulation tools are not really the problem. Detailed maps, floor plans, and other such information are much more dangerous and widely available online. Attacking a Virtual World—Why? It is unclear why anyone would consider a virtual world a particularly interesting target. Today’s largest online game, World of Warcraft, does have more than 10 million subscribers; however, these people are spread over many servers in many countries. Any “attack” would have limited impact, probably even to Blizzard. By comparison, the NASDAQ stock exchange handles 2 billion messages per day4 and average daily dollar volume traded was $85 billion5… a much more significant target. Attacking the Real World via a Virtual World—The wildest proposed scenario is that cyberterrorists could use an attack on a virtual world to somehow attack the real world. At this point in time, there is nothing to attack. Perhaps a hacker could take down the server that the game is operating on, but that is the end of it. Increasingly, utilities, banks, and other institutions are linking their actual business operations with online services. If you can order phone service online, there is then some sort of actual connection between the frontend website and the actual control system for the telecommunications network. This connection is a real target. Whether it is accessed through a simple web page, or an immersive, 3D environment, live business applications are the real objective for any attacker.

O NLINE T OOLS

FOR THE

M ODERN T ERRORIST

The other proposed opportunities for terrorists come from using virtual worlds or online games as means to support their operations. Like the rest of us, terrorists need to plan and fund their activities:

Chapter 35 Terrorists

361

Communication—It is certainly possible to use online games as a communications service. All support text and some are now supporting voice communications. There are a multitude of other communications services available, however. The larger concern is that government may require monitoring (or at least the capabilities for monitoring) of all online communication services in an attempt to be able to find terrorists. Voice services would probably be a bit more effective for terrorists, because they are more difficult to monitor and it’s harder to extract useful information from them. Of course wise terrorists, just like the military, know that the best way to avoid interception is to avoid communicating. Money Laundering—Moving money around and turning illicit funds into real dollars are difficult challenges. The fact that some online games and virtual worlds have convertible currencies makes them candidates for money laundering, as discussed in Chapter 28. The significance of online games is a bit overstated in this area, and I am afraid I am a bit at fault, as I was quoted on the subject in one of the early articles on terrorism and virtual worlds. The most likely candidates for online money laundering are peer-to-peer financial services, such as micro-loans, peer-to-peer gambling, skill games, online sports wagering, and gift cards. Prohibition in the US in the 1920s helped give rise to organized crime; it appears that one of the unintended side effects of the UIGEA law that restricts online gambling is the rise of anonymous covert payment systems, which may be used for terrorism as well as other forms of cybercrime. Game Crime (Funding)—Gold farming is estimated to be a $1 billion per year industry. It doesn’t take a huge amount of effort to do profitably and the risks of any sort of meaningful investigation or prosecution are virtually nil. The work is naturally fairly anonymous and its practitioners sometimes need links to ID thieves for stolen credit cards and identities. Fake hacks and other gamerelated scams could also be lucrative and have low legal risk. As such, game crime makes for a natural funding source for terrorists (and other criminals, of course). Criminal Game—There is no reason that a criminal or terrorist group could not set up and operate its own online game. The costs are modest and the project could generate reasonable potential revenues. In addition, a criminal game operation would be very useful for collecting identity information and installing malware that could be used for other types of criminal activities. Terrorists are no longer the bomb-throwing anarchists of the late 19th century. However, they are not really any more advanced technologically than the rest of us.

362

Protecting Games: A Security Handbook for Game Developers and Publishers

It is somewhat remarkable that we consider the ability of terrorists to set off bombs at the same time in multiple locations a sign of an amazing malevolent intelligence when many of us routinely set up teleconferences and meetings with our cell phones and PDAs with people from all over the world. We are terrified that terrorists use websites, social networks, online chat, and VoIP, yet tens of millions of us do the same every day. There is nothing amazing about the technologies that terrorists have used or notable about how they have used technology. If anything, the more serious potential problem will come from actions by countries or organized criminals. Terrorism is essentially theater. Its goal is to provoke a dramatic overreaction leading to political or economic chaos. A criminal or state actor is more willing to invest in a financial or strategic payoff. In early 2008, hackers allegedly caused a number of serious power outages in order to extort money from utilities6. This rather alarming story went almost unnoticed while wild speculation that terrorists might use World of Warcraft for planning purposes received wide publicity. We do believe what we see and read. I’ve included hundreds of footnotes in this book to lend credence to my argument that game security is an important issue (how many have you checked, by the way?). Virtual worlds and online games are fantasies. They are one of the few places where we know that what we are seeing is not real. As such, we do not take them seriously. This would seem to make them particularly uninteresting for terrorists, but quite interesting for criminals. Attacks on Wikipedia7 and propagating a story through numerous online sources can build a powerful, virtual truth for lies. A six-year old story about the 2002 United Airlines bankruptcy filing was accidentally republished in 2008 and the company’s stock plummeted 75 percent in less than a day8. The hoary story of the tribesmen who refused to be photographed because they are afraid that the image will steal their soul has a grain of truth. If we are shown enough images and told enough stories about someone, that becomes the truth; real-world reality does not matter. The biggest danger for online games and virtual worlds and terrorists does not come from the terrorists, but from governments’ fear of terrorists. The collapse of a virtual world will anger its customers and annoy its investors. It is not a national security threat. The democratization of information is a huge benefit for society as a whole, but terrorists and criminals will have access to this data as well. The risks for online games come from regulation and law enforcement requirements including extensive monitoring of individual communications. It behooves game companies to preempt and avoid these threats.

Chapter 35 Terrorists

363

R EFERENCES 1. The Economist (2007), “Jihad on the Internet,” http://www.economist.com/world/displaystory.cfm?story_id=9472498 2. N. Shachtman (2008), “Pentagon Researcher Conjures Warcraft Terror Plot,” http://blog.wired.com/defense/2008/09/world-of-warcra.html 3. B. Crecente (2005), “China Trains Army with Counter Strike,” http://kotaku.com/gaming/oddities/china-trains-army-with-counter-strike-30782.php 4. NASDAQ (2008), “NASDAQ Performance Statistics,” http://www.nasdaqtrader.com/Trader.aspx?id=MarketShare 5. NASDAQ OMX Group, Inc. (2008), “NASDAQ OMX Announces August 2008 Market Performance Statistics for U.S. and Nordic Exchanges,” http://ir.nasdaq.com/releasedetail.cfm?ReleaseID=333405 6. N. Shachtman (2008), “CIA: Hackers Shook Up Power Grids (Updated),” http://blog.wired.com/defense/2008/01/hackers-take-do.html 7. P. Boutin (2008), “Sarah Palin’s Wikipedia Page Scrubbed,” http://valleywag.com/5043886/sarah-palins-wikipedia-page-scrubbed 8. K. Zetter (2008), “Six-Year-Old News Story Causes United Airlines Stock to Plummet: UPDATE Google Placed Wrong Date on Story,” http://blog.wired.com/27bstroke6/2008/09/six-year-old-st.html

36

Practical Protection

y goal has been to show that protecting games is possible and that there are many paths to solving game security problems. That security does not require cryptography or iris scans; it just requires a bit of thought and consideration. That security is, first and foremost, a business issue, not solely a technical one. That games and the business of games are deeply entwined with security. Arguably some of the oldest “security problems” were people cheating at ancient dice games. Fortunately, or unfortunately, it is no longer practical to stick a spear in the back of cheaters or make pirates walk the plank.

M

How much is security worth? I read a press release recently about an antipiracy product. They cited the oft-repeated statistic that for every legitimate game sale, there were 10 to 15 pirated downloads and that if just one of those pirates converted, sales would double. If anyone really believed that there were 100 percent or more sales to be earned from better anti-piracy and that there was any anti-piracy solution that could give those sales to you, there would be hardly any negotiation or concern about purchasing anti-piracy products.

“W E H AVE M ET

THE

E NEMY

AND

HE IS US”

This quote by the comic book character Pogo (copyright of the Walt Kelly Estate) pretty much sums it up. Games are a major hacker target. Some of the most common forms of malware—Trojans and account phishing scams—target online games. On one hand, this is a tribute to the huge growth in the game industry. One the other hand, it is an indicator that both the game industry and law enforcement do not take these attacks very seriously: Real Money + Low Risk = Juicy Target

364

Chapter 36 Practical Protection

365

This is likely to get worse. In 2007, the rate of attacks targeted against specific businesses was almost 20 percent1. These attacks are much less likely to be detected by standard, commercial security products, so companies need to harden themselves against all attacks. Denial of service attacks can be launched for as little as $100 per day from an outsourced botnet. The cost of cyberattacks on businesses grew from $168,000 per incident in 2006 to $350,424 in 2007. As game companies move their business online, they are increasingly vulnerable to these hackers. Today, the game industry seems wracked with security fatalism: PC gaming is doomed because of piracy. Gold farmers are ruining MMOs. Cheaters and bots are destroying online poker. The sky is not falling. Security problems are big enough to be taken seriously, but, as has been shown throughout this book, there are ways to bring these challenges under control. The first step is for both security personnel and their colleagues to consider security as an important and integral part of game development and game operations. There seem to be six kinds of security insanity that afflict both security professionals and their coworkers: Zealots—The radical “true believers” of security. They believe in security at the expense of everything else. If something is not perfectly secure, there is no reason to do it. This is most often found in very young (or inexperienced) and very old security professionals. Product Pushers—These individuals have been totally seduced by one brand or type of security product and believe it is the magic bullet for whatever security problem you face. This may occur in the wake of an article, a security course, an industry conference, or an encounter with a particularly charming and/or attractive sales person from the offending company. This is a moderately annoying problem in security staff. It is utterly depressing and frustrating when an executive has caught the bug. Guards and Fences—These individuals view security solely through the lens of physical security: guards, fences, security clearances, and such. Very often, these people have no appreciation for intellectual property as a valuable commodity. This is not found too often in the game industry, but there are definitely folks in the security industry who continue to have this view. Blissfully Ignorant—There is no security problem, there is nothing to worry about, time to move on. “These problems would never affect my product or our business.” In severe cases, they are the willfully ignorant who refuse to consider anything that differs from their world view.

366

Protecting Games: A Security Handbook for Game Developers and Publishers

Pearl Harbors—“I’ll worry about security when some large enough security event occurs.” “Whatever it is, it’s going to have to be big, a Pearl Harbor.” If nothing else, I hope that this book has provided enough specific incidents to answer this question for both the Pearl Harbors and blissfully ignorant in the game industry. Security Apocalypse Believers—There is nothing that can be done. We’ll just have to abandon this market. Maybe the government can save us. The entertainment industry seems to be veering into this direction. For the games industry, PC gaming is routinely pronounced “doomed” due to piracy. Real protection goes with a real understanding of the business and its environment. My discussions of price, multi-player gaming, and rich interaction systems as strategies to fight piracy are based on the recognition that piracy exists, but the goal is to maximize revenues, not become a surrogate for government and mete out “justice.” Second-hand game sales may, in fact, be a more costly problem than piracy (in terms of lost sales). Real customers willing to spend real money on real games are increasingly choosing to buy used rather than new games. Hoping for some sort of revenue share from retailers or individuals is naïve, at best. Cheating and social subversion are direct threats to any game service. Any breach of trust or confidence will cost you customers. In the largest available survey, cheating was the number one reason for leaving online games2. There is nothing that ruins fun like perceived injustice. Although piracy may be the largest threat to games as products, cheating and social subversion are the leading threats to game services. Games may be an escape from the real world but game businesses are real businesses. They face numerous challenges, some of which stem from the explosive growth and changes in the industry. Although it may suit the game industry’s purposes to consider virtual items as worthless and owned by the company, it is dangerous to ignore the fact that your players place great value on these mere entries in a database. This view devalues your customers and facilitates problems like gold farming. Games are a major industry and can earn many millions of dollars from their players. In return, developers and game operators should value their customers and their customers’ trust seriously. Protecting identity, providing a safe environment, and securing payments should not be afterthoughts; they are central to the success of a game service.

Chapter 36 Practical Protection

T HE B USINESS

OF

367

G AME P ROTECTION

When games can earn more than $300 million in a week3 and there are lawsuits for millions of dollars over security breaches4, it is time to realize that the game industry has grown up and that protecting these games is serious business. There are a lot of multi-million dollar security incidents mentioned in this book: Sony Online Entertainment faced millions of dollars in chargeback fees due to gold frauders; K2 Networks lost a million dollars in one year due to phishing, identity theft, and credit card fraud; and Shanda offered $1 million in rewards to find private servers, malicious code, and cheats. One has to wonder if the potential costs of a security breach were even considered when these games were developed. How carefully do game publishers review the security procedures of their developers or production contractors, given the number of times games have been compromised before they were released? How much thought was put into various online games’ economic systems to consider the operational and fraud related costs from gold farming? How early in the development process was the threat of piracy considered during a game’s design and business strategy? Yet, it seems security investments are very lean. The game industry is not alone in this. The game industry has an advantage over many other industries in that it can clearly measure return on security investment. Piracy can be tracked; customer complaints and security incidents can be counted. Security investments can be tied straight to the bottom line. It is certainly the responsibility of security staff to propose security solutions as well as identify security vulnerabilities and fairly cost them over the lifecycle of the game, but it is also the responsibility of management and designers to take heed. Security is truly an engineering discipline and an art. It is all about leverage. The goal is to make an investment in security tools, implement appropriate changes to the game design or business model, or even alter operational procedures that, taken together, will produce substantially larger revenues or avoid large costs. It is reasonable for management to expect these margins to be fairly large because so are the unknowns. If game protection is started early, the cost may consist of altering a PowerPoint design presentation or a Word requirements document. GLOBAL INDUSTRY CHALLENGES The game industry is in the midst of a fundamental change. It is moving from a shrink-wrapped software business dominated by a few major publishers serving a few large developed countries, to a much more diverse online industry with a wide range of business models and a huge number of players spread all over the world.

368

Protecting Games: A Security Handbook for Game Developers and Publishers

Industry leaders need to think globally instead of focusing on individual markets or regions. The debate in the United Kingdom between industry-sponsored Pan-European Game Information (PEGI) age-rating system and the British Board of Film Classification (BBFC) over game-rating authority is not really about which approach is better, but whether companies will need to get their games approved in each national market or be able to use a standard, global certification. The challenges extend far beyond game ratings. The game industry has a strong interest in standardizing and strengthening online identity, developing standards for parental controls and usage limitations to address game addiction concerns, improving online payments and fighting fraud (including pushing liability back onto payment processors and credit card firms), fighting online crime, and clarifying jurisdictional issues for online services. Many of these issues are not unique to the game industry, but their resolution, or lack thereof, will have a notable impact on the shape and growth of the industry in the future. At the same time, the very way the game industry operates is in flux. Game developers increasingly outsource portions of their projects and operate as virtual teams spread around the globe. Licensing games has changed from simple localization for each country and local marketing to supporting extensive online services. These partnerships reduce the costs of development and can help expand business opportunities, but at the same time they expose companies to threats that they hadn’t previously considered. Maintaining management control, much less effective security, is a serious challenge. SECURITY BEYOND TECHNOLOGY One of the most important themes throughout this book is that security is not solely a technology problem nor does it always have a technological solution. The role of the security team is to look at everything about the game—its business model, design, distribution, payments, implementation, tools, and so on—and help navigate a path to success in the face of adversity. Although security is not paramount, its impact needs to be considered seriously along with business and art to achieve success. The joke among my NSA friends when we were adding a piece of security gear to a project was that we were expected to be a heat sink, add power, and add lift. The development team as a whole often did not see any reason to value security. Why should they?

Chapter 36 Practical Protection

369

Military development projects have many of the same characteristics as game projects. The development team is successful when the project “goes live.” After that, someone else gets to take care of maintenance, operations, and security. Without rewards and accountability, security will fail. Like everything else, people respond to incentives. If security can serve as an impetus to better address operational issues during development, security should certainly be a resounding success. One of the great things about games and security is that there is a lot of freedom to innovate. Games are unique and creative enterprises. Battle.Net started with a free online service and ended up extending the life of its games for years and being pretty effective in battling piracy. Richard Garfield revolutionized the tabletop game industry by combining sports trading cards with a fantasy game to create Magic: The Gathering. The free-to-play business model has shown that you don’t need to charge a subscription to make money from an online game. The Wii showed that game play, not graphics, can be successful on consoles. Puzzle Quest showed that you could make a “hardcore” casual game. Solving business, game design, and security problems can truly be an opportunity to build something wonderful and new. WHO’S THE BOSS? A perpetual problem in the security field is the question of who “owns” security. No matter what we all claim, the adage “where you stand depends on where you sit” has a lot of validity. If security is owned by the Information Technology (IT) department, security is an IT problem. If it is placed within Quality Assurance, quality is security. The bottom line answer is that the “boss” owns security. The owners of a business are the only ones who have enough visibility into development and operations to balance both. Some large companies have created a Chief Information Security Officer (CISO) position, usually underneath the Chief Information Officer (CIO). The main problem with this choice is that it makes security part of IT and often CIOs are a lot less strategic to the business than they should be. My conversations with game developers lead me to a slightly different conclusion for the game industry. The security lead should probably directly report to the Project Manager or an Operations Manager, if one is appointed early. Bringing in an Operations Manager early on is highly valuable. They are the ones who are going to care for, feed, operate, and support the game from the day it is launched until it is shut down, and so are more like a “real” game player than anyone. Operations Managers care about how many customer support staff they are going to need, as well as how many servers, and how many phone lines for complaints. Operations

370

Protecting Games: A Security Handbook for Game Developers and Publishers

Managers also are going to bear the brunt of any security failures and will therefore be strong advocates for security. They will appreciate that good security can affect the variable costs of operations. Best of all, the Operations Manager has a substantial budget—something that security folks almost always lack.

I N C LOSING I almost always open my presentations on game security by stating that “If security doesn’t save you money or make you money, don’t spend a dime on it.” I hope that I have shown that there are real security problems that affect almost everyone in the game industry and that there are practical ways to protect your games. When I started studying game security, the problems were pretty straightforward: piracy for shrink-wrapped games and cheating and griefing for online games. The explosion of games into advergames, social networks, virtual worlds, skill games, and children’s games has been exciting to watch even as the security challenges have multiplied. These are early days for security in the games industry. Companies who take the lead in security will have a competitive edge, while others may lag behind.

R EFERENCES 1. T. Espiner (2007), “Cracking Open the Cybercrime Economy,” http://resources.zdnet.co.uk/articles/features/0,1000002000,39291463-1,00.htm 2. PlayNoEvil (2006), “Game Security Major Issue for Online Gamers in China,” http://playnoevil.com/serendipity/index.php?/archives/719-Game-Security-Major-Issue-for-OnlineGamers-in-China.html 3. P. McDougall (2007), “Halo 3 Sales Top $300 Million in First Week,” http://www.informationweek.com/news/personal_tech/showArticle.jhtml?articleID=202201135 4. B. Sinclair (2008), “Ubisoft Sues Over Assassin’s Creed Leak,” http://www.gamespot.com/news/6195570.html?om_act=convert&om_clk=newstop&tag=newstop;title;2

Appendix

A

Selected Game Security Incidents

began tracking game security incidents fairly seriously after we filed the patents for what became our SecurePlay product back in 1997. Every so often, a news story would break about some problem with a game somewhere and I would file the information away. The pace of these incidents steadily increased and when I started seriously writing my blog, PlayNoEvil, in the later part of 2005, I went back and filled in a number of the earlier cases to build an informal chronology of game security. These cases come from stories in the press or announcements from companies. I have rarely used forums or gamer communities as a reference. When I do use these sources, it is usually because the attack itself is interesting, rather than just noting the disclosure of the incident.

I

T HE G ATHERING S TORM The growth in the number of game security incidents has been impressive. Before 2004, there were several incidents per year. By 2004, the pace had reached one per month. In 2005, there were several each month. In 2006, there was usually at least one incident a week and by 2007 there were more incidents than I could easily keep up with. Part of this is certainly due to the growth of online sites that track the game industry, but the number of incidents seems to have been growing at a remarkable pace. Over this same period, companies have changed how they respond to security incidents. There has been a long-standing habit of simply deleting discussions of cheats or exploits from official game sites. Sometimes game companies will provide information on security incidents only to later remove them from their sites. Blizzard used to provide quarterly updates on bans for Battle.Net and World of Warcraft, but ceased doing so in the fall of 2006. Other companies, like Square Enix, have taken a very different approach and provide regular updates on security for their online game Final Fantasy XI. 371

372

Protecting Games: A Security Handbook for Game Developers and Publishers

On a personal note, when problems have occurred over, and over, and over again, there seems to be less value in writing about them, and less interest in reading the same stories by my readers. The rapid changes in the game industry have given me opportunities to expand my horizons to address issues such as security for kids’ games, problems with contests and advergames, and other topics. This is a long-winded way of saying this list is not complete. It covers many incidents from 2001 to mid-2007 and gives a good sense of the range of the problems. I do refer you to my blog, PlayNoEvil (http://www.playnoevil.com/), which I’ve continued to update. You may also find Luigi Auriemma’s site (http://aluigi. altervista.org/) of interest. There have been a couple of other game security sites launched over the years, but they rarely stay active for long. Incidents in 2007 (though May): In-game griefing turns into real-world violence in World of Warcraft in Mexico Regional licensing issues in Xbox Live and PS3 Nintendo faces media piracy in Korea Lineage III code compromised—$1 billion in potential damage claimed Nintendo Europe fights modchips Sony PSP firmware updated against download security flaw HD DVD and Blu-ray anti-piracy systems hacked after being patched within one week HD DVD and Blu-ray anti-piracy system hacked Xbox 360 privilege escalation exploit Fake cheating scams: Habbo Hotel and elsewhere Cheating in Insomniac’s Fall of Man for PS3 3,900 Final Fantasy XI accounts banned or suspended Teleport hacking in World of Warcraft Xbox 360 exploit found and patched Griefing article in PCGamer Malicious shills in online casinos 100,000 World of Warcraft accounts banned Swedish lottery game shut down for cheating Entropia Universe performance enhancement exploit MMORPG editorial on cheating Blood donations to get “unbanned” in Cabel Online

Appendix A Selected Game Security Incidents

373

Casual game attacks article Hacking kids games—Club Penguin and Whyville Final Fantasy XI bans 5,000 accounts Pirate server earned $200,000 in China shut down UK invests 5 million pounds to fight piracy Lineage 2 pirate server shut down by FBI Hacking games with Cheat Engine article Nintendo DS strengthens media security Game industry article on evolution of game piracy Real robot used for Xbox 360 achievement exploit Epic Software’s Gears of War for Xbox 360 attacked Employee game abuse issue in CCP Games’ EVE Online Nintendo Wii hardware hack Knight Online institutes “double damages” instead of banning Flash high-score system hack demonstrated Sony PSP firmware hacked again Controller hack against Rainbow 6 on Xbox Live Indian gold farming and botting allowed and supported by publisher Chess tournament cheating via Bluetooth Legend of Mir 3 piracy operation in China cost nearly $1.3 million per month in revenues Incidents in 2006: Penis griefing in Second Life Square Enix bans 7,450 from Final Fantasy XI Another pirate server in China shut down—over 260,000 accounts Cheating described in online Backgammon Gold duplication exploit in World of Warcraft (non-US) Sony PSP firmware hacked Electronic Arts’ Battlefield 2142 faces numerous security issues Bungie institutes anti-leader board abuse system for Halo 2 (1,106)

374

Protecting Games: A Security Handbook for Game Developers and Publishers

Square Enix bans 11,500 in Final Fantasy XI FBI shuts down Lineage 2 pirate server Blizzard sues World of Warcraft Glider tool developer Hackers commercialize game save cheats for Xbox 360 Denial of service attack against Second Life Saint’s Row for Xbox 360 gets security patch against exploits Australia challenges piracy damage report Square Enix creates Final Fantasy security task force Yendang Entertainment cracks down on cheaters and hackers iTunes DRM allegedly broken World of Warcraft movement cheat hits YouTube Guild banned in World of Warcraft for using exploit Final Fantasy XII English language code compromised Student essay on Metroid Prime Hunters cheating Game Licensor K2 uses policy instead of patching for Webzen’s Legend of MU exploit Pine tar hack in baseball Gamerscore cheating on Xbox Live Electronic Arts’ Battlefield 2142 ships with spyware Lobby attacks in Gears of War for Xbox 360 Four to five denial of service attacks in less than one month against Second Life Cheating in chess—Kasparov editorial Microsoft sues to fight DRM circumvention tool Microsoft adds security to DVD drive Gears of War code compromised Ubisoft compromised 2GB of art assets Personal data compromised in Second Life K2 Networks loses $1 million in a single year due to account compromises, phishing, and identity theft Baidu sued for publicizing alleged cheater’s name Roulette cheating legalized in UK Gold farming business article in China

Appendix A Selected Game Security Incidents

375

Final Fantasy XI bans 3,000 for third-party software Video and audio griefing on Xbox Live in Uno Payment card spoofing and identity spoofing on Xbox Live Sony PSP patched again Korean organized crime group hacked arcade chips to cheat Apple and Microsoft DRM defeated again Shanda offers $1 million reward to fight cheats and private servers Casino Times covers cheating in Online Poker Executive at Shanda duplicates items in Legend of Mir 2—arrested Three Guild Wars guilds banned for ladder abuse Both Microsoft DRM and Apple FairPlay systems broken (again) EA’s Battlefield 2142 hacked in beta Sony PSP hacked, all versions, via memory stick Xbox 360 piracy reported in Philippines Introversion claims successful use of spoofing against P2P network piracy Final Fantasy XI bans over 1,400 for cheating and third-party software Bank scam revealed in EVE Online VP of Chinese anti-virus firm arrested for selling game hack plug-in for Legend of Mir 3 (earned over US $350,000) “Stat baby” griefing in Netamin’s Ultimate Online Baseball Xbox 360 piracy problems reported in Korea Sony PSP introduces anti-piracy and homebrew features in latest firmware Datal releases trainer for DS World of Warcraft bans nearly 60,000 accounts SiN Episode 1 piracy reported, distributed via Valve’s Steam Xbox 360 piracy problems reported in China Final Fantasy XI bans over 2,000 for third-party software Conquer Online increases penalties for cheating and botting Guild Wars bans over 4,000 for botting $21 million in U.S. dollars seized from botters and gold farmers in Ultima Online New PSP downgrader released Hellgate: London source code potentially compromised

376

Protecting Games: A Security Handbook for Game Developers and Publishers

Cheat tools for Metroid Prime Hunters—WiFi 300,000 players data-compromised in Japanese MMO Xenepic Online Korean gold farming ring earns U.S. $15 million, NCsoft under investigation for inaction Nintendo DS piracy problems Star Wars MMO doppelganger server enters alpha testing PSP dual boot hardware hack released Korea moves to stop wagering in online games Shadowbane MMO announces fix for exploits Final Fantasy XI MMO bans 250 accounts for gold farming with U.S. $4 million in game currency RF Online bans over 2,000 for cheating with bots in May Bethesda Oblivion RPG patch fails to stop duping Blizzard bans 30,000 accounts for gold farming and cheating, with U.S. $3 million in game currency In-game denial of service attack against Second Life Bethesda Oblivion RPG patch to stop duping; because of the Xbox Live service and incentive system this problem has real impact ArenaNet’s Guild Wars bans 1,000 accounts for bots NCsoft to spend U.S. $10 million on anti-cheating and farming, including hiring 150 analysts for Lineage Korean bot makers busted for U.S. $10,000 and two years in prison Xbox 360 DVD drive hack weaponized cheat and piracy product for Nintendo DS Trojan used to loot World of Warcraft accounts Second Life denial of service attack—third in one month NCsoft bans 500,000 accounts in 18 months for Lineage Second Life denial of service attack 5,400 banned from World of Warcraft for cheating Virtual crucifixion to punish griefing in Roma Victor Xbox 360 DVD drive hack disclosed Mythic bans cheaters from Dark Age of Camelot MMO Massive identity theft ring targeted NCsoft’s Lineage—200,000+ compromised accounts

Appendix A Selected Game Security Incidents

Online “lynching” of suspected Chinese gold farmers Mythic bans 450+ cheaters for use of “radar” exploit PSP hacked via GTA game Shadowbane institutes “zero tolerance policy” for cheating Second Life adds virtual prison for griefing or annoying behavior Incidents in 2005: Blizzard closes 18,000+ accounts for cheating in past three months Linden Lab turns to FBI in Second Life denial of service case City of Heroes/City of Villains servers hacked, code compromised Age of Empires III patched to address multi-player exploit Call of Duty 2 fans lobby for better anti-cheating, threaten strike Denial of service attack against Second Life Xbox 360 Live tracking security concerns AhnLabs brings anti-cheating service to US, starting at $30K/year Two denial of service attacks in November against Second Life World of Warcraft hackers using Sony BMG rootkit to hide from Warden Halo 2 ends leader board due to cheating and hacking problems Japan Lineage II fraud/virtual mugging results in arrest Duplicate server problem for Lineage II Major duping incident for EverQuest II Privacy concerns due to security monitoring by Blizzard Far Cry patched for cheating World of Warcraft bans over 1,500 for cheating Bungie (Halo 2) bans thousands for cheating Bungie fights mod cheats Battlefield 2 security flaws allow cheating Major duping problems in World of Warcraft China imposes content and time limits on gaming Battlefield 2 servers delisted for cheating 50,000+ accounts banned from Battle.Net

377

378

Protecting Games: A Security Handbook for Game Developers and Publishers

Shanghai player stabbed over virtual sword theft Spurned woman charged over deleting game data Tecmo settles nude “skinning” lawsuit Gold farming and duping problems in World of Warcraft—thousands banned (several articles) Rise of pokerbots in various online poker games (several articles) Final Fantasy XI bans over 800 players America’s Army hacked Halo 2 service boots several thousand users for cheating at $50/subscriber/year Sims 2 hacked (malicious data attack) Fujistu-Siemens told to pay $16/PC as tax for piracy in Germany Earlier incidents (2001 to 2004): World of Warcraft has major game hack within three weeks of release (timing attack) Blizzard knocks over 500,000 accounts from Starcraft and tens of thousands of accounts from Warcraft III at Battle.Net Valve boots 50,000+ players within three months of releasing Half-Life 2 Blizzard wins suit against BnetD (competitive open source game server) Code theft for Grand Theft Auto – San Andreas Code theft for Halo 2 ASF Texas Hold’em hacked SOCOM online virtually shut down due to cheating EverQuest removes hundreds for cheating Battle.Net boots over 500,000 accounts (out of 10 million) Half-Life 2 code theft China’s online gaming market admits $12,000 lost each day to cheating and piracy McDonald’s Monopoly sweepstakes scandal Cryptologic’s software was hacked and lost $1.9 million in a day

Appendix

B

Glossary

Action Overrun—This type of attack on a game works when games do not explicitly validate the intervals between allowable game actions. The game’s state does not retain information about when previous actions have occurred. Common examples are players who can move far too fast or fire extraordinarily quickly compared to other players. Advergame—A game that promotes a product, service, or brand that is typically provided for free. Asymmetric Cryptography—See Public Key Cryptography. Blind Authentication—A cryptographic authentication process whereby one entity queries another to determine whether the second entity possesses certain information without disclosing the information directly. Blind authentication can be used to verify software or other data. Blu-Ray—A successor to the DVD that can store 50GB of data and includes several digital rights management systems. Bot/Botting—The use of automated programs to play on a player’s behalf. Bridging—The insertion of a hardware or software proxy between two networked game applications in order to facilitate cheating by manipulating the data exchanged between the game players. CAPTCHA—Stands for a “completely automated public turing test to tell computers and humans apart.” A program that tries to distinguish between people and computers quickly and reasonably easily. Chargeback—When a consumer reverses an existing credit card purchase and the vendor is responsible for returning the funds to the credit card company and, ultimately, to the consumer, unless the vendor can successfully dispute the chargeback. Cheating—Active measures that abuse game play or game systems. Checksum—A fixed sized block of data that’s derived from a larger data stream or block. A checksum can be as simple as a parity bit (a count of the number of 1s in the data stream) or as complicated as a cryptographic checksum (where the checksum is built using a secret key and a cryptographic function).

379

380

Protecting Games: A Security Handbook for Game Developers and Publishers

Children’s Online Privacy Protection Act of 1998—A U.S. law that protects the privacy of children under 13, particularly against marketing. It is sometimes confused with COPA or other laws with very similar acronyms that are related to protecting children from obscenity and have been successfully challenged in court. Ciphertext—An encrypted stream or block of data. CKL—See Compromised Key List. Compromised Key List (CKL)—One of the limitations of public key cryptography is that keys have a long life, sometimes a year or more, and there is no easy way to get rid of keys when they are compromised. The CKL is a digitally signed list of compromised keys periodically distributed by a central authority. These lists are used by participants of the service to ignore messages from holders of the compromised keys. COPPA—See Children’s Online Privacy Protection Act of 1998. Digital Millennium Copyright Act (DMCA)—A U.S. law passed in 1998 that places serious restrictions on attempts to reverse-engineer or circumvent copyright protection technology such as DRM. The European Union passed an analogous act in 2001, called the EU Copyright Directive. Digital Rights Management (DRM)—Software tools that attempt to control the usage and distribution of digital media. Digital Signature—By combining a hash function with public key cryptography, digital signatures are used to ensure the source and integrity of the signed data. The hash function detects data alteration and the public key function ensures that the data came from a source that knows the corresponding private key. DMCA—See Digital Millennium Copyright Act. DRM—See Digital Rights Management. Emulators—Software programs that emulate a different computing platform or microprocessor, and are sometimes used for piracy. Encryption/Decryption Function—A mathematical function that operates on some input data (plaintext) and a key to produce an output. If you have access to the output of the encryption function (ciphertext), it is computationally infeasible to recover the input data without the key. End User License Agreement (EULA)—The contract between a software buyer and a seller. These contracts have come under scrutiny in the US recently because consumers cannot meaningfully negotiate with the licensor. Additionally, software companies have been imposing draconian restrictions in the contracts that may not hold up in court. Escorting—A (paid) service in an online game where the escort plays along with the client. EULA—See End User License Agreement. Exploit—A weakness in the implementation of a game system or flaw in the game’s rules that allows a player to have an inappropriate advantage. F2P—See Free-to-Play.

Appendix B Glossary

381

Feelies—Physical items included with a game. Feelies were an anti-piracy technique pioneered by Infocom. Free-to-Play (F2P)—The name for games whose business model is based on the purchase of virtual goods. It is typically contrasted with subscription games, where players purchase game play based on time (per minute or per month). Gold Farming—The practice of using a game’s economic system to earn real money by selling virtual assets or currency to other players. Most games typically allow, in fact encourage, the accumulation of items and virtual currency and support their trading as a part of the game play experience. The abuse of this legitimate system can cause a number of problems, including spam. Gold Frauding—The use of actual criminal techniques such as phishing, account theft, identity theft, and credit card fraud, to buy and sell virtual currencies and items for games. Griefing—Activities that are not technically cheating, but are disruptive to the game experience of other players. At best, these behaviors can only be documented in a game’s terms of service. Most often, they are enforced by game company staff. Hash Function—A mathematical function that takes an arbitrary amount of data and “hashes” it down to a fixed-size hash word. A good hash function will have the characteristic that small changes to the input data will result in large, unpredictable changes in the resulting hash word. Honeypot—A program or online service that is designed to trap criminals or other targets. Key—A small amount of data (the key) used to protect a large amount of data. Typically used with a cryptographic function. Key-logger—A program that captures the keystrokes from a computer and sends them to a remote location, often for malicious purposes such as capturing user passwords (usually done by a hacker, but sometimes companies monitor their own employees). There are also programs that capture screenshots and mouse inputs. Key Management—The set of operational services are necessary to operate a cryptographic system securely. Typically, a key management system includes key distribution, key exchange, registration or initialization, key update, and recovery. Keygen—An unauthorized program that can generate a game license key that cannot be detected as fraudulent. Macros—Programs that automate sequences of keystrokes as a game aid. See also Bot. Machinima—A video or movie built from a 3D graphics engine (typically a game). Massively Multi-Player Online Game (MMO, MMOG)—A generic name for games that can support large numbers of players, typically in shared, persistent environments. Massively Multi-Player Online Role Playing Game (MMORPG)—A special category of MMO that has a player take on the role of a person or creature, typically represented by a graphical avatar. The role-playing-game aspect of the game is that the characteristics and assets of the avatar can change over time. MMO/MMOG—See Massively Multi-Player Online Game.

382

Protecting Games: A Security Handbook for Game Developers and Publishers

MMORPG—See Massively Multi-Player Online Role Playing Game. Modchips—Additional memory chips, processors, and even circuit boards used to support hardware hacking of game consoles. MUD—See Multi-User Dungeon. Multi-User Dungeon (MUD)—The textual predecessors to the modern graphical MMO games. Players typically use a simple telnet terminal client to access the game (although more elaborate client applications are often available). Interaction is often done with very elaborate textual commands. One advantage that MUDs have is that developing and modifying text is quick and easy. There continue to be several text MUDs that operate commercially. Nintendo DS—Nintendo’s handheld game console that was released in 2004. It is distinguished by the use of a dual screen and is backwards compatible with Nintendo’s previous GameBoy Advance handhelds. It also supports Wi-Fi networking. Nintendo Wii—Nintendo’s game console that was released in 2006. It is distinguished by its use of the Wiimote handheld controller that recognizes gestures and movement in three dimensions. It is also backwards compatible with Nintendo’s previous console, the GameCube, and includes Internet access via Wi-Fi. Unlike its competitors, the Wii does not have a standard hard drive, only Flash memory. Obfuscation—The process of making it difficult to reverse-engineer the design of a program (code obfuscation) or the value of data (data obfuscation), even if the adversary has the obfuscated code or data in her possession. Phishing—The process of attempting to fraudulently convince individuals to disclose credit card numbers, personal data, passwords, or other sensitive data. PlayStation (PS, PS1, PS2, and PS3)—Sony’s video game console series. The latest, the PlayStation 3 (PS3), was launched in 2006 and includes the Blu-ray disk technology and Internet access. PlayStation Portable (PSP)—Sony’s handheld game console first released in Japan in 2004. It is most notable for the use of the UMD miniature disk technology. It also supports Wi-Fi networking. Pokerbot—An automated program that plays poker (see also Bot/Botting). Power-Leveling—A commercial service whereby a third party plays on behalf of a player to accelerate her status in a game. The service may also simply sell pre-built game characters or accounts. Private Key Cryptography (Symmetric Cryptography)—A type of cryptography where all parties to the system use the same (secret) key. The same key is used to encrypt and decrypt data. PS, PS1, PS2, and PS3—See PlayStation. PSP—See PlayStation Portable.

Appendix B Glossary

383

Public Key Cryptography (Asymmetric Cryptography)—A type of cryptography in which it is computationally infeasible to determine the private key if you know the associated public key. This means that if you can decrypt a message with the public key, you cannot encrypt the message because you do not posses the private key. Public key cryptography is mainly used for key management because it is typically much slower than symmetric cryptography. R4 Data Cartridge—An unauthorized product that allows standard SD flash memory storage to be used instead of official Nintendo game cartridges for the Nintendo DS handheld game console. SD cards are routinely used for digital cameras and media players. The R4 product also includes a PC application that allows users to download pirated Nintendo games and use them. The R4 allows multiple games to be stored on a single cartridge and provides its own graphical user interface (GUI) to select games. Race Condition—A situation where multiple systems (often computer programs) that ordinarily work together get into an undefined condition (that often causes strange failures) because of poor handling of temporal updates. Real Money Transactions (RMT)—Inter-player commerce, almost always in online games, where players use the trading system or gift-giving system provided by the game to support real money sales of items. Rich Interaction System (RIS)—An online service that provides a number of types of services designed to be used to enmesh players so that they will be less likely to cheat and pirate games. RMT—See Real Money Transactions. Rootkit—A program that hides itself from the standard utilities provided with an operating system. Many computer hacks try to “escalate privileges” to get root privileges that typically give the hacker total control the computer. Spam—The abusive distribution of marketing information via a legitimate communication service. Standbying—A method of cheating in networked computer games where communications are interrupted to disrupt the synchronization of game state or actions between players. Steganography—A mechanism for hiding important information inside of other data, such as a message concealed inside of a picture or a sound file. For game applications, the most common use of steganography is for concealing digital fingerprints or watermarks. Subletting—Sharing an online game account with another user who is engaged in an activity such as gold farming. In addition to being a violation of the game’s terms of service, subletting is often a fraudulent way to steal a player’s account. Subscription Game—A game that includes periodic payments (typically monthly) for service. Symmetric Cryptography—See Private Key Cryptography. Terms of Service (TOS)—The extension to a game’s contract that defines acceptable and unacceptable behaviors. TOS are not typically enforced by the software.

384

Protecting Games: A Security Handbook for Game Developers and Publishers

Trusted Platform Module (TPM)—A cryptographic coprocessor that stores and generates cryptographic keys and implements cryptographic functions. Each TPM has one or more unique cryptographic keys. TPM is also a specification published by the Trusted Computing Group. Wallhack—The replacement or alteration of game graphic assets to give an advantage to the game hacker. In many games, the graphics engine has sole responsibility for determining whether one player can see another. A simple wallhack will make a wall in a game invisible and, at a minimum, allow a player to see where others are located. Others can be used to allow players to shoot at players that they should not be able to see or fire at. Xbox 360—Microsoft’s game console that was released in 2005 as a successor to the Xbox. It includes Internet access. One notable change from the Xbox is that there is a version that does not include a hard drive (the Xbox 360 Arcade). Xbox Live—Microsoft’s online service for its Xbox and Xbox 360 game consoles.

Index Note: Security principles are abbreviated. See individual entries for complete text.

Numbers 2001 to 2004, game security incidents in, 378 2005, game security incidents in, 377–378 2006, game security incidents in, 373–377 2007, game security incidents in, 372–373

A A1 installation option, explained, 95 abandonment, occurrence of, 199–200 abstraction, using, 172 account compromise, overview of, 306–308 Achaea (Iron Realms), 228 ACID, applying to dupe attacks, 156 action-based networking, 117–120 versus state-based networking, 119 synchronizing between players, 119–120 action hands, explained, 202 Action, role in CAARDS reference model, 110 activation, considering in license policies, 53 activation key, vulnerability to pirates, 39 active measures, adoption of, 354 Adams, Tarn, and Zach (Dwarf Fortress), 175 advergames, tracking, 181 ADV Films, trusted brand security of, 28–29 Age of Conan, 109, 166 age verification overview of, 302–304 problems with, 294 algorithmic games, 170–173 ambushes, turning into mini-games, 174 amusement park economics, 226–227 analysis, availability in cheat detection systems, 153 analytic aids, comparing to cheating, 146–149 anonymity, state of, 296 anonymous systems, using, 301–302

anti-cheating techniques focus of, 120 N-1 Secure, 124 See also cheating anti-fraud, overview of, 282–286. See also fraud anti-piracy approach for PC games, 35 benefits from proprietary media, 32 determining goals of policies for, 97–99 evaluating, 30 innovators, 29 nagware systems used in, 42 price as strategy, 62 public relation problems with, 92 of servers, 70 strategies for used games, 61 techniques, 32–33 worth of, 26–27 See also piracy; RIS (rich interaction systems) anti-piracy Bill of Rights connection options, 95 fair use principles, 93–94 installation options, 95 registration options, 94 anti-tamper software, use of, 135, 139–140 ArenaNet (Guild Wars), 24 Asia, console piracy in, 25 Asian malware, statistic related to, 4 Assassin’s Creed, 257 asymmetric information, significance of, 115 asymmetric warfare, choosing defensive methods for, 16 Atomicity in ACID, explained, 156 attack vectors, association with terrorists, 359–360 Audition dancing MMO, 173–174 Australia, impact of piracy on, 23 authenticating servers, 70–72 authentication, blind, 144 authentication token, use with World of Warcraft, 4 authorization, 37–38 automation, integration for, 286

385

386

Protecting Games: A Security Handbook for Game Developers and Publishers

Avatar’s Bill of Rights, 229 average synchronization model, explained, 113 avoid security strategy, explained, 14 AW (authentication word), creating, 143 Ax installation option, explained, 95

B Bartle, Richard, 224 Battlefield 2, 111, 198 Battle.Net service (Blizzard), advantage of, 24 “Beat the Dealer” (Dr. Edward Thorp), 170 Bethke, Erik, 229 better EULA, proposal of, 229 bias of game operators, explained, 201 billing options, considering for payments, 279–280 Bill of Rights for anti-piracy, 93–94 biometrics, use of, 299 Black, leaking of, 257 blacklist chat services, using for children, 317 blacklists versus whitelists, 151 blind authentication, using, 144 blind security functions, use of, 139 blind service architecture, 123, 125 Blizzard Battle.Net service, 24 free online game play service offered by, 24 World of Warcraft, 4, 69 BMG Rootkit (Sony) use with World of Warcraft, 151 unpopularity of, 25 board games, pattern used in, 176 bootstrapping systems, securing, 58 bots and cheat tools, 148 problems with, 329 sophistication of, 147–148 and syndicates, 197 Brain Age, 169 brand security, Nintendo and ADV Films, 28–29 break-even analysis, performing, 26–27 bridge style rankings, explained, 204 bridging, defined, 161 broker model, explained, 228 BSA (Business Software Alliance), 23 buddy high scores, explained, 185 Burning Crusade, licensing, 270 business models, security problems related to, 129–130 business risk and liability, overview of, 218–221 byte-code, attack on, 137

C CAARDS reference model, 110 CALEA (Communications Assistance for Law Enforcement Act), 349 Call of Duty 2, security failures of, 130 Call of Duty, “kill cam” feature in, 148 CAPTCHAs (Completely Automated Turing Test To Tell Computers and Humans Apart), 149–150 card games, pattern used in, 176 Caribbean, success of online gambling in, 68 casinos, accidental, 326–327 cataloging problem, fighting in trivia games, 168 CCP Games (EVE Online), 137 CD key, problems with, 34–35 CDS (cheat detection systems), 150–154 challenge/response card, 299 login protocol, modifying, 71–72 score posting, 185 Champions, 109 chargeback fees, considering, 276 cheapness, security problems caused by, 10–11 cheat codes, use of, 106–107 cheaters, attacks by, 190 cheating boundaries of, 146–149 costliness of, 105 demonstrating, 148 detecting, 121 versus fair play, 105–106 “for fun,” 120–121 versus hacking and exploits, 108 in high-score games, 181–182 importance of, 104 interpreting, 103 overview of, 102 seduction of, 102–103 by server, 111 in single-player games, 103 threat of, 366 tools used in, 149 using cheat-detection tool with, 16 See also anti-cheating techniques cheating setup, bridger in, 159 checksums benefits of, 73–74 and ID license key system, 35–36 using with game data, 136–137 chess, solvers for, 147

Index

Chief Information Security Officer (CISO), problem with, 369 child pornography, overview of, 318–319, 321–322 children capabilities for online services, 318–319 and identity, 320–321 protecting communications of, 316–317 sexual solicitation of, 313–314 targeting games to, 303 Children’s Online Privacy Protection Act of 1998 (COPPA), 319–320 China anti-piracy innovations of, 29 GDP related to software, 23 server piracy in, 67 chips, attacking information in, 58 CISO (Chief Information Security Officer),problem with, 369 City of Heroes (Cryptic Studios), 269 Clemson University study of cyberbullying, 315–316 client/authoritative server networking, 116–117 client ID, creating with security client, 150–151 client-server option, using, 184 client-side security, end of, 120–121 clocks, considering in license policies, 53 cloning online game services, 68 CO: Connection Optional, explained, 95 code as data, 137 vulnerability of, 137 code losses, occurrence of, 257 code obfuscation, explained, 40–41, 139 code theft, overview of, 255–257 collaborative game security architecture, 124, 126 collection, availability in cheat detection systems, 152 collusion in ladder game play, 197 player, 127–129, 167 in tournaments, 197 in tournaments and ladder games, 197 communications abuse of, 190 griefing and spam, 210–215 Communications Assistance for Law Enforcement Act (CALEA), 349 community sites, overview of, 273 community systems, limitations of, 211 competition, levels of, 204

387

Completely Automated Turing Test To TellComputers and Humans Apart (CAPTCHAs), 149–150 “conduit” model, adopting in lawsuits, 272 configuration data, vulnerability of, 137 connections, options for, 95 Consistency in ACID, explained, 156 console attacks considering emulators in, 56 duplicating game storage media, 55 hardware hacking, 57 manipulating media players, 56 secure bootstrapping, 58 on software, 57 console games anti-piracy strategy for, 25 attacking save game files in, 141 experimenting with pricing of, 62–63 functionality of, 58–59 memory used in, 141 console processors, targeting directly, 56 consumers, concerns about game security, 4 content, considering in license policies, 54 content distribution detecting, 33–34 preventing, 32–33 contingency planning, overview of, 342–343 contracts comparing to software, 266 content of, 266 indemnification section of, 350 security considerations, 266–267 Control, role in CAARDS reference model, 110 coordinated action collusion, explained, 129 COPPA (Children’s Online Privacy Protection Act of 1998), 303–304, 315, 319–320 copyright infringement, occurrence of, 220–221 counters, considering in license policies, 53 covert fingerprinting DRM system, using, 46–47 CR: Connection Required option, explained, 95 credit card fraud, impact of, 287, 289 crimes, punishing, 243–244 Cryptic Studios (City of Heroes), 269 cryptographic checksums, benefits of, 73–74 cryptography effectiveness of, 71 in secure digital distribution, 89 use in DRM, 46 use of, 182

388

Protecting Games: A Security Handbook for Game Developers and Publishers

Cryptologic Inc., attack on online casino, 4–5 The Cuckoo’s Egg (Clifford Stoll), 7 currencies (convertible), risks associated with, 291 CV: Connection Value option, explained, 95 Cx (D or T) connection option, explained, 95 cyberbullies, dealing with, 315–316

D DAC security policy model, explained, 51–52 Dance Dance Revolution, 173 Dark Age of Camelot (EA Mythic), 134 DAS (Digital Affiliate System) DMA player, 86 Media Asset, 86 overview of, 84–86 data obfuscating, 40–41 splitting, 40–41 storing, 41 data disclosures low standard fine for, 306–307 overview of, 255–257 data hash, explained, 136 data integrity, importance in encryption, 72–73 data obfuscation basis of, 139 use of, 134–137 data-protection techniques, 136–137 data storage, cost of, 32 Dead or Alive, 221 defensive proxies, overview of, 157–158 delegate security strategy, explained, 14 Delfino v. Agilent Technologies, Inc., 272 Demaio, Harry (Information Protection and Other Unnatural Acts), 6 denial of service (DoS) attacks, overview of, 336–339 design exploits, overview of, 166 designing for medium, 179 detect security strategy, explained, 15 deterministic games, 186 deter security strategy, explained, 15 development process, including protection in, 18 development, running in parallel to, 17 Diablo (Blizzard) attack on, 120 Cheaters’ Tournament, 102 storage of data for, 135 differential data/data chaining, explained, 137

differential storage, use with obfuscators, 135 Digital Affiliate System (DAS) DMA player, 86 Media Asset, 86 overview of, 84–86 digital distribution, security of, 87–91 Digital Rights Management (DRM) ineffectiveness of, 45 overview of, 44 problems with, 45 problem with, 183 use of cryptography in, 45–46 digital signatures benefits of, 73 problem with, 183–184 using, 45–46, 182–184 using in DRM (Digital Rights Management), 49 disasters and disaster recovery, overview of, 342 Disney, anti-piracy innovations of, 29 Display, role in CAARDS reference model, 110 distribute and update, availability in cheat detection systems, 153 distributed development, risks associated with, 256 distributed state systems, synchronization models used by, 112–114 distribution, security of, 87–91 distribution piracy detecting, 33–34 preventing, 32–33 DLL injection, 138 DMA player in DAS, features of, 86 DMA Registry in DAS, features of, 87 dominant strategies, use of, 175 DoS (denial of service) attacks, overview of, 336–339 downgraders, problems with Sony’s PSP, 58 DRM (Digital Rights Management) ineffectiveness of, 45–46 overview of, 44 problems with, 45 problem with, 183 use of cryptography in, 45–46 DRM systems digital signatures, 49 encryption, 49–50 fingerprinting and covert fingerprinting, 46–48 license policies in, 51–54 obfuscation, 50–51 proprietary encoding, 50 security labels and tags, 49

Index

split delivery, 51 watermarking, 47–48 DS handheld console (Nintendo) piracy problems with, 25 popularity of, 28 dupe attacks occurrence of, 156 solution to, 156 dupe exploit, example of, 109 duplication detecting, 33–34 preventing, 32–33 Durability in ACID, explained, 156 DVD players versus video game consoles, 62 DVDs console attacks related to, 56 regional encoding system used for, 33 Dwarf Fortress (Tarn and Zach Adams), 175

E EA (Electronic Arts), release of Spore, 217 EAM Mythic (Dark Age of Camelot), 134 economic system, fighting server piracy with, 70 emulators, problems with, 56 encryption benefit of, 73 bypassing, 72–74 data integrity of, 72–73 limitations of, 39 popularity of, 17, 41 problems with, 45 problem with, 183 with static key, 136 using, 182–184 using in DRM (Digital Rights Management), 49–50 engines. See game engines; graphics engines entertainment publishers, power of, 98 Entertainment Software Association (ESA), 23, 26 Entropia Universe (MindArk), 130 entry spreading, 196 Epic Software (Unreal), popularity of, 50 episodic gaming considering, 98 pricing of, 63 errors, extending in secure digital distribution, 90 ESA (Entertainment Software Association), 23, 26 escorting, defined, 223

389

escort services, explained, 240 EU, legal requirements for privacy protection, 309–310 EVE Online (CCP Games), 137, 217 EverQuest MMO gold-buying associated with, 225 handling griefing for, 210–211 exception game, Magic: The Gathering, 175 exploits versus cheating and hacking, 108–109 of game design, 166 of shared saves, 141 External Affiliation collusion, explained, 128 External Authoritative synchronization model, explained, 114

F F2P (free-to-play) model challenges of, 129–130 popularity of, 227–228 Fable 2 pub games, problem with, 108 Facebook, targeting for spam, 210 facilities requirements, 349–350 fair play versus cheating, 105–106 Family-Safe Gaming Initiative (Microsoft), 314 fan sites, overview of, 273 faux multi-player gaming, explained, 185 FBI investigation of payment fraud, 290–291 feature versioning, considering in license policies, 53 “feelies” (Infocom), 34 financial database, inclusion in game services, 340 fingerprinting DRM system attacks on, 48 using, 46–47 firmware, updating for duplication, 33–34 Flooz, fraud associated with, 290 fraud, safeguarding against, 288. See also gold frauder; insider fraud friend codes, using for children, 317

G gambling defining, 325–326 versus gaming, 326 Wire Act related to, 331 game accounts, security of, 289–290 game addiction, overview of, 304–306

390

Protecting Games: A Security Handbook for Game Developers and Publishers

game cheating boundaries of, 146–149 costliness of, 105 demonstrating, 148 detecting, 121 versus fair play, 105–106 “for fun,” 120–121 versus hacking and exploits, 108 in high-score games, 181–182 importance of, 104 interpreting, 103 overview of, 102 seduction of, 102–103 by server, 111 in single-player games, 103 threat of, 366 tools used in, 149 using “cheat detection” tool with, 16 See also anti-cheating techniques game clients, vulnerability of, 152 game commerce alternative models for, 227–228 problems associated with, 223, 226 game consoles anti-piracy strategy for, 25 attacking save game files in, 141 experimenting with pricing of, 62–63 functionality of, 58–59 memory used in, 141 game demographics, change in, 24–25 game engines versus graphics engines, 142 keeping data on, 138 game industry alternative models for, 227–228 competition with movies, 62 game injection, explained, 161 game integrity, importance of, 260 game operations architecture, 341 game operators versus gold farmers, 236 problems with, 201–202 sample architecture, 340–342 “Game Over” game, 199 game pirates, values of, 13 game play automating portions of, 147–148 griefing, 215–217 patterns, 176–178

game players, categories of, 224–225 game-play patterns, 176–178 game protection basis of, 366 challenge of, 16 global industry challenges, 367–368 including in development process, 18 security beyond technology, 368–369 Game Save problems, occurrence with Sony’s PSP, 59 game save sharing, explained, 203 game scams, categories of, 347 game security accountability in third-party development, 267–268 accountability in third-party licensing, 268–270 balancing with ease of use, 55–56 being concerned about, 3–5 beyond technology, 368–369 business of, 367–370 challenge of, 5 versus complexity, 19 contract considerations, 266–267 contracting, 266–267 of digital distribution, 87–91 effectiveness of, 7 elements of, 3 fatalistic attitudes toward, 6 importance of, 3 importance to consumers, 4 linguistic trap associated with, 6 as means of managing uncertainty, 15–17 of online games, 43 for online games, 71 of operations, 352–353 ownership of, 369 PCI-DSS, 289 perception of, 356–357 simplicity of, 19–20 subjective definitions of, 9 game security architectures Blind Service model, 123, 125 collaborative model, 124, 126 Trusted Third Party model, 122–123 game security incidents in 2001 to 2004, 378 in 2005, 377–378 in 2006, 373–377 in 2007, 372–373 and incident response, 354–356

Index

game servers putting mathematical models on, 171 using public keys with, 71 game services ensuring integrity of, 185 scams related to, 328–329 security-related components of, 340–341 systems included in, 340 using proxy servers with, 338–339 game state, attacking, 142, 183. See also state-based networking game usage, restricting, 304 gamers, stereotypes of, 24 games attacking via local applications, 132 high price of, 63 operating as services, 26 partial information in, 115 performing break-even analysis of, 26–27 physical security of, 63–64 retrospective verification of, 115 scams in, 345–347 GamesFirst! (Shawn Rider), 159 GameShark and R4 hardware hacks, 108 GameStop 2007 Annual Report, on used games market, 60–61 gaming versus gambling, 326 Gears of War, 143 ghosting in tournaments and ladder games, 198–199 Glider tool, using with World of Warcraft, 147–148 Gödel, Escher, Bach: an Eternal Golden Braid (Hofstadter), 19 Gödel’s Theorem, 19 gold farmers versus game operators, 236 motivations of, 17 gold farming countermeasures for, 232–236 defined, 223 impact on customer service, 231 objectives of, 13 overview of, 230–236 solutions for, 238–239 gold frauders, problem with, 241. See also fraud Grand Theft Auto: Liberty City Stories, 59 graphics engines versus game engines, 142 vulnerability of, 138, 142 graphics, exploit associated with, 109

391

grief, inflicting, 209–210 griefing behaviors associated with, 190 countermeasure for, 211 deterring, 213 game play, 215–217 high-score or player-name, 215 managing, 211 methods of, 209 solutions for, 212–215 Guangzhou Optisp (Legend of Mir 3), 67 Guild Wars (ArenaNet), 24 Guitar Hero, 98, 173–174

H Habbo Hotel, problems with virtual prostitution, 240 hacker proxies, overview of, 158–163 hackers, attacks by, 190 hacking versus exploits and cheating, 108 servers, 122 hacks, fake examples of, 148 Half-Life, 255 Halo 2 French version of, 271 insider fraud related to, 259 proxy problems with, 159 Halo 3, Save Films feature in, 179 harassment, dealing with, 220 hardware hacking difficulty of, 57 R4 and GameShark, 108 hash functions, using, 143, 182–184 Havok, physics engine from, 255 hidden state and partial information, 115 high-score games, cheating in, 181–182 high-score strategies, alternatives for, 185–186 high-speed games, problems with, 174 HMI (human-machine interface) design, importance of, 352 Hofstadter, Douglas (Gödel, Escher, Bach: an Eternal Golden Braid), 19 honeytrap memory, explained, 137

I I1 installation option, explained, 95 ID and checksum license key system, 35–36

392

Protecting Games: A Security Handbook for Game Developers and Publishers

identify theft, overview of, 306–308 identity establishing, 253 importance of, 296 problems with, 202–203, 294–295 state of, 295–296 identity cards, counterfeiting, 290 identity systems components of, 296–297 registration problem with, 296–302 types of, 298–300 Id Software, pricing of Rage, 62–63 ignore security strategy, explained, 14 Illegal Gambling Business Act of 1970, 331 illegal payments, overview of, 290–291 implicit features, including in games, 186 IMVU, 217–218 Incompleteness Theorem, proof of, 19 indemnification defined, 268 section in contracts, 350 independence, achieving goals of, 8 indirect data stores, explained, 136 Infocom (”feelies”), 34 Information Protection and Other Unnatural Acts (Harry Demaio), 6 inside players, problem with, 201 insider fraud countermeasure for, 262–264 occurrence of, 259–260 See also fraud installation considering in license policies, 53 options for, 95 insure security strategy, explained, 14 internal authoritative synchronization model, explained, 113–114 Internet use, security risk associated with, 258 Iron Realms (Achaea), 228 isolation and privileging, overview of, 262–264 Isolation in ACID, explained, 156 Ix installation option, explained, 95

J Jagex (RuneScape), popularity of, 62, 228 judgment proof, defined, 257

K keygens, explained, 36 key-loggers, use of, 4 keys. See license keys; public key kid-friendly services, securing, 316–317 kids communications, overview of, 316–319 Kim, Min, 104, 288 King, Stephen (The Plant), anti-piracy innovation of, 29 Knight Online, punishment related to, 248 Korea commercial game hack tools in, 149 outsourcing security in, 269 Koster, Raph, 229 Kowalski, Robin, 316 Kreb, B. (”Web Fraud 2.0”), 149–150

L ladder games collusion in, 197 game configuration, 198 ghosting, 198–199 ladders, use of, 193–194 law enforcement, overview of, 348–349 Lawrence Berkeley National Lab, investigation at, 7–8 lawsuits, dealing with, 272 layered security, significance of, 7 laziness, security problems caused by, 10 legal considerations federal laws and regulations, 331–332 overview of, 329–333 state laws and regulations, 332–333 Legend of Mir 3 (Guangzhou Optisp) fraud associated with, 259 server piracy of, 67, 122 The Legend of Zelda: Twilight Princess, 59 LGK (license generation key), sharing, 38 liability and business risk, overview of, 218–221 licensees and licensors, 271 replacing, 270 license keys ID and checksum, 35–36 online authorization, 37–38 protecting, 39 public key encryption, 36–37 splitting data for, 40–41 using, 39

Index

license policies controlling, 52–54 use in DRM systems, 51–54 licensing games, due diligence process of, 269 Limbo (Svenska Spel), 127–129, 197 Lineage II (NCsoft) bots for, 148 server piracy of, 67 Lineage III, 257 live connection, considering in license policies, 53 live play, overview of, 329 lobby attacks, 195–196 logging systems, inclusion in game services, 341 Lumines, 59

M MAC (Message Authentication Code) security policy model, explained, 51–52 using, 143 Magic: The Gathering exception game, 175 malicious code, targeted, 121 malware from Asia, statistic related to, 4 MapleStory (Nexon), popularity of, 62, 129 markets and regions, considering in license policies, 52 mathematical models, putting on game servers, 171 MD5 hash function, using, 143 Media Asset in DAS, features of, 86 MediaDefender service, 18 media piracy, fighting, 29 memory attacking, 132–134 in console games, 141 memory editors, use of, 133–134 merchant accounts, using, 277 Metaplace, 217–218 Metroid Prime Hunter, 141 MGame (Yulgang), 269 Microsoft’s Xbox 360 console, attack on, 33–34 MindArk (Entropia Universe), 130 MMOs movement to P2P (peer-to-peer) architecture, 70 simple game mechanics of, 67 vulnerability to server piracy, 66 moneybookers, using, 279 money, conversion of virtual currency into, 130 money laundering legal issues related to, 291–293 use by terrorists, 361

393

monitoring online services for children, 317 overview of, 316–319 Moore’s Law, relating to emulators, 56 Morris Trap, 300 movies, competition with game industry, 62 multi-player gaming, 79 paper by Matt Pritchard, 111

N N-1 Secure, goal of anti-cheating, 124–125 nagware, activation by anti-piracy systems, 42 NCsoft (Lineage II) bots for, 148 server piracy of, 67 Nelson, Major, 352–353 network games action based, 117–120 implementation of, 111 problems with, 159 state-based, 111–116 synchronization challenges, 115 network time, considering, 163–165 newest wins synchronization model, explained, 112–113 Nexon (MapleStory), popularity of, 62 Nine Inch Nails, anti-piracy innovation of, 29 ninja looting problem, explained, 216 Nintendo DS handheld console, 25, 28 trusted brand security of, 28–29 “NO DISK” hacks, popularity of, 35 “no download” games, 66 non-repudiation, explained, 213 NOOP instructions, replacing verification functions with, 140 number games, 169–170

O obfuscating data, 40–41 obfuscators DRM system, 50–51 use of, 134–137 obscenity, dealing with, 219–220 Office IT, infrastructure of, 258–259 online authorization license key system, 37–38 online gambling, success in Caribbean, 68

394

Protecting Games: A Security Handbook for Game Developers and Publishers

online game services ensuring integrity of, 185 scams related to, 328–329 security-related components of, 340–341 systems included in, 340 using proxy servers with, 338–339 online games alternative models for, 227–228 ease of building, 69 globalization of, 68 movement to P2P (peer-to-peer) architecture, 70–71 original reason for development of, 66 security focus for, 71 storage of, 43 online identity. See identity online payments, growth of, 70 online poker, solvers for, 146 operating systems, targeting directly, 56 operations, security of, 352–353 “The Orange Book,” security grades in, 51 outsourcing explained, 203 risks associated with, 256 OutWar, 197

P P2P (peer-to-peer) architecture movement of MMOs to, 70 movement of online games to, 70–71 packet hacks, types of, 161 parental controls, overview of, 316–319 partner security issues, 270–273 passwords, protecting with Morris Trap, 300 patterns, types of, 176 payment abuse, explained, 201–202 payments fraud, 287, 290–291 illegal, 290–291 processing, 276–280 PayPal, using, 277–282 PC games anti-piracy approach for, 35 pricing of, 62 PCI-DSS standard compliance with, 288 overview of, 289 pedophiles, dealing with, 315–316 penetration testing, weaknesses of, 17

phased distribution explained, 214–215 pacing, 215 physical security tokens, benefits of, 352 piracy cost of, 26 determining scope of, 24–28 estimated annual costs of, 4 insider, 69 international impact of, 23 measuring, 75–76 online game appliances, 69 owning problem of, 38 of PlayStation 2, 60 rate of, 23 reconsidering approach toward, 99 strategies toward, 25 as theft, 22 troubled partnerships, 69 See also anti-piracy; server piracy pirate networks, fighting, 76–78 pirates converting to resellers, 87 handling after catching, 42 pricing out of business, 62–63 Pirates of the Caribbean MMO game, 137 The Plant (Stephen King), anti-piracy innovation of, 29 platforms, considering in license policies, 53 player collusion, 127–129, 167 player handles, inappropriate, 187 players banning, 245 distinguishing from programs, 149–150 player systems, inclusion in game services, 341 PlayStation 2, piracy of, 60 poker, automation of, 147 pornography, child, 321–322 power-leveling defined, 223 overview of, 239–240 pre-paid cards, using, 279 Prince of Persia, replay system in, 179 Pritchard, Matt, 111 privacy, overview of, 306–308 privacy protection, legal requirements for, 308–310 private keys, signing messages with, 213 privileging and isolation, overview of, 262–264 programs, distinguishing from players, 149–150

Index

Project Entropia, 129 proprietary encoding DRM system, using, 50 protect, detect, react, 13 protection basis of, 366 challenge of, 16 global industry challenges, 367–368 including in development process, 18 security beyond technology, 368–369 protect security strategy, explained, 15 proxies defensive, 157–158 hacker, 158–163 proxy design, advantage of, 158 proxy servers, using with game services, 338–339 PR (public relations), perception of security in, 356–357 public key credentials, 299 encryption, 36–37 fighting replacement of, 72 using with game servers, 71 punishments cost of, 244–245 credibility of, 243–244 and credible deterrence, 245–248 goals of, 243–244 possibilities for, 245–248 puzzle games, 169–170, 186 Puzzle Pirates (Three Rings), 129 Python byte-code, attack on, 137

Q QuickTime, vulnerability of, 130

R R4 and GameShark hardware hacks, 108 race conditions and “dupe” exploits, 109 explained, 108 occurrence of, 155–156 in World of Warcraft, 156 Radiohead, anti-piracy innovation of, 29 Rage (Id Software), pricing of, 62–63 Ragnarok Online (Shanda Interactive), 67, 156 rake abuse, explained, 201–202 randomized features, using, 172 randomly seeded client solution, implementing, 184 random number systems, 125–127

395

Random, role in CAARDS reference model, 110 rank boosting and busting, 196 ranking systems countermeasures for, 204 overview of, 192–195 purposes for, 194 types of, 193–194 react security strategy, explained, 15 real world attacking via virtual world, 360 establishing strong identity in, 253 money in, 252 the insider problem in, 252 recover strategy, explained, 13 regions and markets, considering in license policies, 52 registration considering in license policies, 53 options for, 94 problems with, 296–300 Reign of Revolution, 326 the remote data problem action-based networking, 117–120 client/authoritative server networking, 116–117 state-based networking, 111–116 replayable game logs, explained, 186 resync attack, explained, 161 reward security strategy, explained, 14 rewriteable DVDs, manipulating in console attacks, 56 RF Online, cheating in, 355 Rider, Shawn (GamesFirst!), 159 risk, impact on protection, 12–13 RIS (rich interaction systems), 79–84, 102. See also anti-piracy RMT (real-money transactions), fairness of, 105 Rock Band, 98 rock-paper-scissors game, 162–163 Roma Victor, punishment related to, 248 RO: Registration Optional option, explained, 94 round robin method, using with merchant accounts, 277 Royal Canadian Mounted Police, impact of piracy on, 23 RR registration option, explained, 94 rules processing, types of, 119 Rules, role in CAARDS reference model, 110 RuneScape (Jagex), popularity of, 62, 228 RunUO Products Page, 67 Rxx (D or T) registration option, explained, 94

396

Protecting Games: A Security Handbook for Game Developers and Publishers

S save game files, attacking in console games, 141 scalability and availability, overview of, 339–340 scams in games, overview of, 344–347 score table constants, altering, 183 Scrabble Word Finder, 169 Second Life, 129–130, 217–218 secure bootstrapping, 58, 143 secure loading, process for, 143 secure operations, 352–353 security accountability in third-party development, 267–268 accountability in third-party licensing, 268–270 balancing with ease of use, 55–56 being concerned about, 3–5 beyond technology, 368–369 business of, 367–370 challenge of, 5 versus complexity, 19 contract considerations, 266–267 contracting, 266–267 of digital distribution, 87–91 effectiveness of, 7 elements of, 3 fatalistic attitudes toward, 6 importance of, 3 importance to consumers, 4 linguistic trap associated with, 6 as means of managing uncertainty, 15–17 of online games, 43, 71 of operations, 352–353 ownership of, 369 PCI-DSS, 289 perception of, 356–357 simplicity of, 19–20 subjective definitions of, 9 security by obscurity, 19 security client, using in cheat detection systems, 150 security insanities, types of, 365–366 security issues game service scams, 328–329 live play, 329 poker, contest, and skill game bots, 329 security label DRM system, using, 49 security principles Anything easy, 7 Effective security, 7

Make adversary work, 16 Simplicity, 19 security problems causes of, 10–12 impact on business, 129–130 occurrence of, 9 security software, bundling with game security tools, 154 security strategies avoid, 14 delegate, 14 detect, 15 deter, 15 ignore, 14 insure, 14 protect, 15 react, 15 recover, 13 reward, 14 security testing tools, using, 18 security tokens, use of, 299 self-improvement game, Brain Age as, 169 server code reverse engineering of, 68 stealing, 68 server networking, client/authoritative, 116–117 server piracy combating, 70 versus service piracy, 68 trends in, 66–70 See also piracy servers authenticating, 70–72 cheating by, 111 hacking, 122 service providers, partner security issues related to, 270–273 sexual favors (virtual), problems with, 240 Shanda Interactive (Ragnarok Online), pirate server for, 67, 156 shared knowledge collusion, explained, 128 shills, problem with, 201 signatures, attempts at stabilization of, 16 silent filter services, using for children, 317 The Sims Online, problem with virtual sexual favors, 240 SiN Episode 1 (Valve’s Steam service), 24 single-player games cheating in, 103, 106 pattern used in, 176

Index

skill games overview of, 186, 327–328 retrofitting, 206 smart USB tokens, use of, 149 Smedley, John, 236–237 social subversion overview of, 190–191 threat of, 366 Söderström, Hampus (Toribash), 175 soft failures, explained, 137 SoftICE tool, use in Diablo attack, 120–121 software attacks goal of, 57 tracking progress of, 59 Sony’s BMG Rootkit, 18 unpopularity of, 25 use with World of Warcraft, 151 Sony’s PSP Game Save problems associated with, 59 problems with downgraders, 58 problems with image viewer, 59 source authentication, achieving, 73 spam and griefing, 190, 209–215 speed hacks, types of, 160–161 Spel, Svenska (Limbo), 197 split data stores, explained, 137 split delivery DRM system, using, 51 splitting data, 40–41 Spore (Electronic Arts), 217 sporting events, legal wages based on, 331 SQL injection attacks, vulnerability to, 157 SSL, problem with, 183 stalkers, dealing with, 315–316 standbying, explained, 161 Stardock (Brad Wardell), 24–25 StarForce anti-piracy product anti-piracy saga, 18 duplication strategy of, 33 unpopularity of, 25 Star Wars: Galaxies, vulnerability to server piracy, 66 state, attacking, 142, 183 state-based networking versus action based networking, 119 problem with, 116 synchronization models, 112–114 state information, reading, 134 State, role in CAARDS reference model, 110 stat guarding, defined, 199

397

statistical independence, achieving goals of, 8 steganography, using in secure digital distribution, 88–89 Stoll, Clifford (The Cuckoo’s Egg), 7 strategy versus cheating, 146–149 strong play tool, Scrabble Word Finder as, 169 strong strategies, use of, 175 stupidity, security problems caused by, 10–11 subletting, explained, 240 Sudoku, solvers for, 146 surveillance, availability in cheat detection systems, 152 Svenska Spell (Limbo), 127–129 synchronization models, using with distributed state systems, 112–114 syndicates and bots, 197 system memory, attacking, 132–134

T tag DRM system, using, 49 A Tale in the Desert, 194, 204 terrorism (virtual), overview of, 359–360 terrorists, online tools for, 360–362 the insider problem, perception of, 252 Thorp, Edward (”Beat the Dealer”), 170 threats, impact on protection, 12–13 Three Rings (Puzzle Pirates), 129 tiered distribution, considering in license policies, 53 till fraud, explained, 201–202 time policy, creating, 163–165 timers, considering in license policies, 53 time, securing, 165 “time to penis,” 217 Titan Quest, 42 Toontown Online, griefing solution for, 212 Toribash (Hampus Söderström), 175 tournaments collusion in, 197 countermeasures for, 204 game configuration, 198 ghosting, 198–199 growth of, 190 and lobby spiking, 195 overview of, 192–195 retrofitting games for, 206 TPM (Trusted Platform Module), 58, 90 trademark infringement, occurrence of, 220–221 Travel Act, 331

398

Protecting Games: A Security Handbook for Game Developers and Publishers

trivia games, 167–169 trusted brand security, Nintendo and ADV Films, 28–29 trusted client problem, 111 trusted platforms, problems with, 9 trusted third party model, 122–123 Turbo Squid, 220–221 Turing, Alan, 19 turn-based physics games, skill games based on, 171

U Ubisoft lawsuit, 257 Ultima Online, vulnerability to server piracy, 66 UltimateBet.com online poker site, 122, 126 Ultimate Online Baseball MMO, 199 ultra-violence, explained, 202 uncertainty, managing, 15–17 Unreal (Epic Software), popularity of, 50 usage controls, overview of, 304–306 USB tokens, use of, 149 used games market anti-piracy strategies for, 61 revenue generated by, 60 user account system, inclusion in game services, 341 user-created content, overview of, 217–218 user types, categorizing for license policies, 52 U.S., legal requirements for privacy protection, 309

W wallhack, explained, 142 Wardell, Brad (Stardock), 24–25 watermarking DRM system attacks on, 48 using, 47 “Web Fraud 2.0,” (B. Kreb), 149–150 web of trust, problem with, 301 whitelist authorization service, supporting, 338–339 whitelist chat services, using for children, 317 whitelists versus blacklists, 151 Wikipedia, attacks on, 362 Wire Act, 331 word games, 169–170 WOW (World of Warcraft), 217 attack by Sony BMG’s Rootkit, 18 authentication token for, 4 licensing of, 69 player collusion in, 128–129 race condition in, 156 Sony BMG Rootkit used with, 151 using Glider tool with, 147–148

X Xbox 360 console (Microsoft), attack on, 33–34, 56 Xbox Live, internal security problems with, 352–353

V

Y

validation considering in license policies, 53 importance of, 41 Valve’s Steam service (SiN Episode 1), 24 verification functions, replacing with NOOP instructions, 140 video game consoles versus DVD players, 62 virtual currency, conversion into money, 130 virtual items, ownership of, 228–229 virtualization tools, use of, 120–121 virtual prostitution explained, 240 problem with Habbo Hotel, 240 virtual terrorism, 359–360 virtual worlds, attacks on, 359–360 Vote synchronization model, explained, 113 V: Registration Value option, explained, 94 vulnerabilities, impact on protection, 12–13

Yee, Nick, 225 YouTube threat, 148 Yulgang (MGame), 130, 269

Z zero-sum scoring, 200