Your SlideShare is downloading. ×
Developers vs Cybercriminals: Protecting your MMO from online crime
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Developers vs Cybercriminals: Protecting your MMO from online crime

9,930
views

Published on

Patrick Wyatt's presentation from GDC 2010: Developers versus Cybercriminals: Protecting your MMO from online crime

Patrick Wyatt's presentation from GDC 2010: Developers versus Cybercriminals: Protecting your MMO from online crime

Published in: Business

0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
9,930
On Slideshare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
162
Comments
0
Likes
6
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Copyright March 2010 by En Masse Entertainment. This document is distributed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States. Please see http://creativecommons.org/licenses/by-nc-nd/3.0/us/ for further details.
  • Griefers like to make players angry; that's how they have their fun. Unfortunately their behavior is incredibly detrimental to the community, game stickiness and player longevity. Victims of griefing are more than unhappy; they can be so enraged they quit the game in anger. The behavior is so common it’s known as “rage-quitting”.Here are some methods that griefers have used to annoy gamers: Exploiting game mechanics:Spamming messages in chat channels to overwhelm legitimate chat.Substituting worthless or inexpensive items for valuable ones during trades.Blocking access to areas players would like to visit.Monopolizing game markets to prevent players from purchasing items they need.Many, many more.To address these types of exploits it’s necessary to hire designers who think about griefing. In fact, hiring one or more griefers on the design team will likely make for a better play experience for players because those designers will be more aware of the exploits of the systems they’re creating. Ultimately, play mechanics must be designed with the idea that players will attempt to exploit the game2. Exploiting game programming weaknesses:Send messages to appear to be from another player or from the server.Flood other players’ Internet connections to overwhelm their network router.Send messages that are designed to crash the game client or even the operating system. It was possible to send the so-called “Ping of Death” to Windows 95 computers that could crash the computer, and many games have similar bugs.Overwhelm servers with computation ("gray goo" in Second Life).It’s necessary for the programming team to develop strong network protocols that validate every message that’s sent to the server, and to ensure that client systems in peer-to-peer games can differentiate between messages sent by different players using a cryptographically secure mechanism.3.Meta-griefing or large-scale hacking:Distributed denial-of-service attack. (Aion was attacked on launch day by determined hackers who tried to flood it off the ‘net).Slowloris: too many connections from one or more computersThese types of hacks can be considerably more difficult to deal with, and can require coordinated efforts on the part of the development and network operations teams.
  • Griefers like to make players angry; that's how they have their fun. Unfortunately their behavior is incredibly detrimental to the community, game stickiness and player longevity. Victims of griefing are more than unhappy; they can be so enraged they quit the game in anger. The behavior is so common it’s known as “rage-quitting”.Here are some methods that griefers have used to annoy gamers: Exploiting game mechanics:Spamming messages in chat channels to overwhelm legitimate chat.Substituting worthless or inexpensive items for valuable ones during trades.Blocking access to areas players would like to visit.Monopolizing game markets to prevent players from purchasing items they need.Many, many more.To address these types of exploits it’s necessary to hire designers who think about griefing. In fact, hiring one or more griefers on the design team will likely make for a better play experience for players because those designers will be more aware of the exploits of the systems they’re creating. Ultimately, play mechanics must be designed with the idea that players will attempt to exploit the game2. Exploiting game programming weaknesses:Send messages to appear to be from another player or from the server.Flood other players’ Internet connections to overwhelm their network router.Send messages that are designed to crash the game client or even the operating system. It was possible to send the so-called “Ping of Death” to Windows 95 computers that could crash the computer, and many games have similar bugs.Overwhelm servers with computation ("gray goo" in Second Life).It’s necessary for the programming team to develop strong network protocols that validate every message that’s sent to the server, and to ensure that client systems in peer-to-peer games can differentiate between messages sent by different players using a cryptographically secure mechanism.3.Meta-griefing or large-scale hacking:Distributed denial-of-service attack. (Aion was attacked on launch day by determined hackers who tried to flood it off the ‘net).Slowloris: too many connections from one or more computersThese types of hacks can be considerably more difficult to deal with, and can require coordinated efforts on the part of the development and network operations teams.
  • Transcript

    • 1. Developers versus Cybercriminals
      Protecting your MMO from online crime
      Patrick Wyatt
      En Masse Entertainment
      Copyright March 2010 by En Masse Entertainment. This document is distributed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States. Please see http://creativecommons.org/licenses/by-nc-nd/3.0/us/ for further details.
    • 2. Please note: this presentation differs from the one I gave at GDC 2010 by the inclusion of my notes in additional slides. All other content remains the same.
    • 3. MMO profit potential
      Game hacking
      Gold farming
      Billing fraud
      Chat spam
      Phishing
      Account theft
      Griefing
    • 4. MMO profit potential - notes
      Everyone is aware of the amount of money that has been made by a few standout titles in the MMO space, and consequently there’s a lot of interest in challenging those front-runners by making a great game that users will love. But you can spend $30-70 million making a great MMO that users love to play that still won’t be successful unless you’re prepared to face a challenge that's unrelated to making a fun game: hacking.
      The problems associated with hacking can destroy the fun of your online world, cause paying customers to leave in rage, and result in billing fraud issues that can ruin your business.
    • 5. Background
      Credits
      Warcraft: Orcs versus Humans
      Warcraft 2: Tides of Darkness
      Warcraft 2: Beyond the Dark Portal
      Diablo
      Diablo 2
      Starcraft
      Starcraft: Brood War
      battle.net
      Guild Wars Prophecies
      Guild Wars Factions
      Guild Wars Nightfall
      Guild Wars: Eye of the North
      Aion
      TERA (releasing early 2011)
      http://www.mobygames.com/developer/sheet/view/developerId,1019/
    • 6. Threatmodeling / attack surface
    • 7. Threatmodeling / attack surface
      If you read security literature it seems incredibly abstract, with discussions about minimizing the “attack surface” exposed to hackers, but few practical examples about what to look for or how to fix the problems. This presentation is an attempt to eliminate the disconnect between the theoretical approaches and the problem we’re trying to solve: stopping hackers from ruining our games!
    • 8. Game hacking
      Hacking games is as easy as it was 20 years ago when I began hacking in earnest.
      My earliest successful attempt at game hacking was with a game called Armor Alley on the Macintosh. It was a hybrid 2D, side-scrolling helicopter simulator (similar to ChopLifter) coupled with a real-time strategy component where ground-units (infantry, tanks and anti-aircraft guns) could be purchased for cash. By simply changing the amount of cash in memory I was able to buy as many units as I liked and trivially win the game. But more to the point, I could do the same thing in a two-player game! It would have been easy for the developers to ensure that the other player’s computer validated that purchases were legal, and that the opponent was making a purchase that was backed up by money already in the account, but apparently it wasn’t considered important.
      The developers of Modern Warfare 2 seem to have taken the same approach to game hacking: ignoring it. Given that aimbot, wallhack, speedhack, field-of-view-hack, and many other hacks have been developed since the invention of First-Person Shooter games, they apparently spent little time developing solutions. Perhaps the most egregious hack was one where the hackers *tried* to get killed; every time they were killed by another player, instead of that player getting rewarded with kill-points, they would lose 800,000 points from their kill-score! This is simply a failure on the part of the developers. At the same time, since their game sold $1 billion dollars worth of product (perhaps more by the time you read this), it may not be critical for FPS games.
      In an online virtual world game, where our goal is to attract and *retain* players for long periods of time, stopping hacking is (apparently) more important.
    • 9. How did my early attempts fare?
      With my early knowledge of game-hacking, and a Computer Science degree to my name, I thought I would be able to do a good job of preventing game exploits, but hacks affected my early attempts too.
      Warcraft (more specifically, Warcraft 1, Warcraft 2 and Starcraft, which all used the same engine) has a fully-synchronized network model that is “unhackable”. All actions from each player are simultaneously validated on every computer before they’re allowed to be activated, and invalid actions aren’t permitted. So if a hacker were to alter the amount of gold in his counting-house, while it would register on his own computer, other computers would disallow purchases which attempted to use the illegal gold. Unfortunately it turns out that, because every computer knows the entire state of the world in order to be able to validate player orders, it also means that it is possible to peek into the game state to see what the other player is buidling, how many units he has, and where they’re deployed, effectively destroying the fog-of-war that makes the game particularly hard (and fun). This is known as an information disclosure vulnerability, and means that the game needs trusted referees to be played securely.
      Another problem is creating a game-desynchronization bug to avoid a loss. If there are two computers in the game and they disagree about the state of the game, the only recourse is to throw away the results.
      Diablo was originally going to use the same network model as Warcraft, which would have prevented some amount of in-game cheating, but it was basically impossible to retrofit a secure networking model onto what was basically a giant hack to begin with. Consequently I had to invent what I now refer to as a “loosely synchronized network model”, where the first player who visits a level becomes the “level master”, and is responsible for tracking game state and performing some minimal level of validation of player actions. But because one player’s computer is the level master, that player has godlike powers to modify the game state as well as exploit or even kill other players. Repeated attempts to correct these problems were only moderately effective because the basic network model was flawed.
    • 10. Hackers – Why do they do it?
      Rather than thinking about the “attack surface” of the game, I think a good conceptual way to start looking at the problem of hacking is to understand the motivations of hackers. There are lots of reasons that people hack, and we need to focus our efforts on the ones that have deleterious effects on the game-world: griefing, gold-farming and gray-sharding, which I’ll describe in the next few slides.
      Education
      Fun
      Challenge
      Reducing grind
      Causing grief
      Profit
      Outright theft of business
    • 11. Griefing
      Griefers get their jollies causing anguish. No, really!
      Exploiting game system weaknesses
      Exploiting network protocol weaknesses
      Exploiting operating system weaknesses
      !
      #*!!
      !
      What
      #
      ?
      What
      ?
      #*!!
      You
      You
      #
    • 12. Griefing Notes
      Griefers like to make players angry; that's how they have their fun. Unfortunately their behavior is incredibly detrimental to the community, game stickiness and player longevity. Victims of griefing are more than unhappy; they can be so enraged they quit the game in anger. The behavior is so common it’s known as “rage-quitting”.
      Here are some methods that griefers have used to annoy gamers: 
      Exploiting game mechanics:
      Spamming messages in chat channels to overwhelm legitimate chat.
      Substituting worthless or inexpensive items for valuable ones during trades.
      Blocking access to areas players would like to visit.
      Monopolizing game markets to prevent players from purchasing items they need.
      Many, many more.
      To address these types of exploits it’s necessary to hire designers who think about griefing. In fact, hiring one or more griefers on the design team will likely make for a better play experience for players because those designers will be more aware of the exploits of the systems they’re creating. Ultimately, play mechanics must be designed with the idea that players will attempt to exploit the game
      2. Exploiting game programming weaknesses:
      Send messages to appear to be from another player or from the server.
      Flood other players’ Internet connections to overwhelm their network router.
      Send messages that are designed to crash the game client or even the operating system. It was possible to send the so-called “Ping of Death” to Windows 95 computers that could crash the computer, and many games have similar bugs.
      Overwhelm servers with computation ("gray goo" in Second Life).
      It’s necessary for the programming team to develop strong network protocols that validate every message that’s sent to the server, and to ensure that client systems in peer-to-peer games can differentiate between messages sent by different players using a cryptographically secure mechanism.
      3. Meta-griefing or large-scale hacking:
      Distributed denial-of-service attack. (Aion was attacked on launch day by determined hackers who tried to flood it off the ‘net).
      Slowloris: too many connections from one or more computers
      These types of hacks can be considerably more difficult to deal with, and can require coordinated efforts on the part of the development and network operations teams.
    • 13. Why griefing is so pernicious
      Victims are mad and may leave the game = loss of revenue
      It costs money to provide help to griefing victims = customer support costs
      In addition to the loss of revenue that occurs when victims of griefing drop out of your game, it can cost more money when the Customer Support department is called in to help with the problem.
    • 14. Gold Farming Notes
      $1B – $10B industry with many negative effects:
      Economic inflation
      Game exploitation
      Chat spam
      Billing Fraud
      Phishing
      Account Theft
      Physical Goods Theft
    • 15. Gold Farming
      The next major area of hacking I’d like to address is gold farming.
      It's big business:
      - 400,000 - 1,000,000 professional gold-farmers worldwide
      - Somewhere between $1 - $10 billion dollar industry; potentially higher revenues than the game business!
      Why gold farming is a problem:
      - Economic inflation: games lack enough cash outflows because renting and leasing aren't "fun"; we're not playing Papers & Paychecks.
      - Design ideas have to be watered down because of the risks of exploitation by players.
      - Perception that rewards aren't earned diminishes the bragging rights associated with owning those rewards.
      - Gold farmers are in business to make money, and have no scruples about breaking terms-of-service and criminal laws:
      Account theft
      Masquerading as a figure of authority, like a GM
      Phishing emails, use of similar URLs, theft of account databases
      Fraudulent credit card and other payment methods
      Theft of physical goods (trailer trucks of game boxes)
      There is no disincentive to stop: because they generally live in countries with minimal intellectual property rights (e.g. China, Russia, etc.) there are no criminal charges or fines; the only disincentive is the inability of the hackers to generate revenue and turn a profit.
    • 16. Gold Farming: even worse than you think
      Why gold farming is so pernicious:
      It costs money to help players get their accounts back
      Players who have been hacked are mad at the company and may leave
      Fraud costs money:
      • Financial transaction costs - credit-card and other payment fees are non-refundable; the company eats it
      • 17. Prevention costs - licensing and per-transaction fees; technology integration and management costs
      • 18. Loss of customers who appear to be fraudsters (false positives)
      • 19. High chargeback rates lead to high fines (six figures or more) or revocation of the ability to take payment
      The console business model is based around a short shelf-life, but sales are critical to the life-cycle of MMOs because they need to continue to attract customers to stay healthy. Because games stay on retail shelves for such a short period of time, if the company can't sell the game online the game will die a certain death.
    • 20. Gold-farming solutions
      Stopping the supply of illegal gold
      Device fingerprinting
      Proxy detection
      Phishing site detection and takedown
      Transaction review
      Telephone verification
      Shipping address verification
      Two-factor authentication
      Analytics: Banning players who “fit the profile” of gold farmers
      There are no easy solutions to stopping the *gold-supply* problem; it requires a substantial effort by an experienced security team that stays on top of phishing sites, tracks bot rings, reviews billing transactions, and analyzes player behavior to eliminate suspected gold-farmers from the player-base.
      Further, it’s necessary to consider how to reduce the risk that players lose their accounts to gold-farmers, so looking into solutions like two factor authentication using security tokens or mobile phone apps that can generate “one time passwords” (OTP) is a good idea.
    • 21. Gold-farming solutions
      A novel solution used in Eve Online is to reduce the “demand-side” part of the gold-farming problem; it’s called PLEX, which stands for Pilot License Extension. CCP Games allows players to purchase time-cards (using real-world money), and those time cards can be traded in the game world for gold (actually ISK in Eve). By creating a legitimate and safe market to purchase gold, players will use that market instead of resorting to the illegal market with all its attendant risks, including credit card fraud, phishing, and the risk of account ban.
      For more information PLEX, check out these articles:
      • http://www.eveonline.com/devblog.asp?a=blog&bid=684
      • 22. http://wiki.eveonline.com/en/wiki/30_days_Concord_Pilot_License_Extension
    • Gray Sharding
      Problem: theft of server binaries or code
      Mir and Lineage 2 binaries
      Half Life 2 and Lineage 2 source
      Infocom floppy disks!?!
      Rewrite of Aion server
      Solutions:
      Physical security
      Separate development network
      Two factor security for dev/ops
      Datacenter security/TPM
      Be nice to employees
    • 23. Gray Sharding Notes
      Gray shards (also known as “private servers”) are game worlds that are run by criminals for their own profit. Based on estimates of player populations, it’s likely that there are more gamers playing Lineage 2 on gray shards than there are playing on legitimate servers.
      Criminals get access to server binaries through a variety of methods; it’s the job of the game development and operations teams to ensure that they close these loopholes to prevent their game from leaking:
      • Theft from the datacenter. Lineage 2 binaries were stolen when a datacenter employee walked out with a mirrored hard drive.
      • 24. Theft of the game source code. Valve Software lost the source code to Half Life 2 via a Trojan program sent via email.
      • 25. Theft from the development studio. A million years ago when games were still released on floppy disks, armed robbers stole one of Infocom text-adventure games immediately prior to it’s commercial release.
      Some considerations regarding physical security
      • Consider isolating the development network, which contains source code and binaries, from the Internet.
      • 26. Require operations staff use two-factor authentication when accessing servers to reduce the likelihood of Trojan attacks against datacenters.
      • 27. Use TPM chips on hardware to encrypt the contents of hard-drives so that their theft doesn’t allow hackers to get access to code and/or binaries.
      • 28. Be nice to your employees! Based on the employment horror stories that seem to be commonplace within the game industry, the possibility of leaks from disaffected employees is quite high. Employees should receive meaningful profit incentives tied to the success of their games and the development/publishing studio so that they’re partners in the success of the game.
    • Real live problems
      Guild Wars “comps” exploit
      Guild Wars trader arbitrage
      Lineage 2 SQL injection
      Aion Chat Spam
      Aion “account services” site (phishing)
      PlayNC password reset “birthday” vulnerability
      Guild Wars fansite account database theft
      RockYou account database theft
      Brute force attack against common password choices
      Sarah Palin well-known information attack
      Theft of credentials by “power-leveling” services
      Single sign-on weakest link attack
      Network protocol sniffing on shared networks
      Trojan player via Flash vulnerability
      Guild Wars network-fuzzing attack
      Gaming the support department
    • 29. Real live problems: notes
      Guild Wars “comps” exploit
      • A hacker discovered that the components (“comps”) used to craft an object were only properly validated on the game client; the game server’s validation code contained a bug which would allow the creation of new items without all the necessary components. It should have been the case that all of the validation code was on the server, and none on the client, as the client code masked the vulnerability.
      Guild Wars trader arbitrage
      • A failure of the server hosting the matchmaking service required that the operations team spin up a new server. Because there was no operations manual for creating a new matchmaking server, no one knew that the “trading service” needed to be initialized with the same data as all of the other live trading services. Consequently the European trading server had radically different pricing information than other servers, and players, in the best imitation of Wall Street traders, arbitraged the pricing difference. Three hours later it was necessary to roll back the game database because there was so much gold injected into the world economy. Failures: lack of good operational procedures, poor choices in the design of the trading service, no tools to automatically detect trade imbalances. Successes: database backup and rollback procedures were successful in restoring game state after an outage.
    • Real live problems: notes
      Lineage 2 SQL injection
      • In-game forum postings were not properly validated to prevent SQL injection; hackers from a Russian IP address were able to delete the databases of Lineage 2 servers in North America and Europe, necessitating a database restore. Failures: never, never, never construct SQL statements using string concatenation; use parameterized SQL – it’s been around since like forever! A similar issue existed in Aion character names during beta; new development teams seem doomed to repeat the mistakes of their predecessors – learn from others!
      Aion Chat Spam
      • Why do Korean games imported to the West have huge problems with chat spam? Because in Korea people who play games are required to enter their citizenship ID number, which can be validated in real-time against a government registry. Players who misbehave are banned and can no longer play, but at the expense of having a strong government ID number, something abhorrent to many Westerners because of the potential for misuse by the criminals and the government (if that’s not redundant). Since chat-spam isn’t a problem in Korea, the developers haven’t spent the effort to develop strong anti-spam tools. This problem is eminently foreseeable, but requires that the development team is willing to implement appropriate solutions proposed by the local publishing organization.
      • 30. The fundamental issue for Western games is to shorten the path to detecting and eliminating problem users. If it takes an hour for a report to make it through the petition-queue before a player is banned, he will already have had time to create another account to start spamming. It’s necessary to look at solutions that can immediately eliminate the problem.
      • 31. Further, players must have tools to regulate the problem; if a player can’t squelch someone annoying the only alternatives are to accept the behavior or go somewhere else, maybe even out of the game. We don’t want that, right?
    • Real live problems: notes
      Some meta-game vulnerabilities used by hackers
      • Brute-force password guessing against authentication servers using multiple source computers and multiple destination login servers. Solution: you *did* implement rate-limiting, didn’t you?
      • 32. Finding the weakest link for single sign-on services; there may be many different login gateways and one has weak authentication or rate-limiting. Solution: make sure all authentication gateways share a common pathway that monitors and prevents rapid account attacks.
      • 33. Steal database with passwords stored in plaintext (compromised RockYou database contained 32 million passwords). Solution: use the SRP-6a password storage algorithm, puh-lease.
      • 34. Password guessing against known accounts using common passwords (10% of users in one game I worked on used trivially weak passwords). Solution: like Twitter, you should disallow users from choosing weak passwords like “1234567”, “qwertyioup” and “password”.
      • 35. Phishing: copy a real site and steal user credentials. Solution: your security team will need to seek out and report phishing sites daily.
      • 36. Host a game forum and try logging in using the same credentials in the game. Solution: consider two-factor authentication.
      • 37. Steal the accounts of users who sign up for your “power leveling” service. Solution: tell users to change their passwords after power-leveling; we don’t *want* them to power level, but like kids having sex, it’s gonna happen – do you want your high school kid to be pregnant, or use a condom?
      • 38. Listen on unsecured channels; some college networks are sometimes weak. Solution: make sure you’re using good crypto to forestall listening attacks.
      • 39. Use password reset process to get new password, because users many times choose bad password reset “hint” questions. This hack was used successfully to exploit Sarah Palin’s account; the hacker answered a security question about her mother's maiden name. Solution: try to select questions with answers that can’t be guessed by hackers using Google.
      • 40. Scam other players by making modifications to the trade window. Solution: call out modifications to the trade window! Show players the estimated value of the trade they’re making (both what they’re giving and what they’re getting).
      • 41. Don’t implement input filtering: UNICODE BOM (byte-object-marker character) crashed GW; smiley character crashed Aion. Solution: implement strong parameter validation, and perform “server fuzzing attacks” against your own servers to detect flaws.
      Even more compromises:
      • Session fixation vulnerability: if you don’t know what it is, read up.
      • 42. Accounts hacked via Flash vulnerability; Guild Wars web site updated to detect obsolete Flash version and suggest that users upgrade.
      • 43. The support department can be gamed by hackers just like users; make sure that the support team keeps notes on players so they can give customers good support, but detect when they’re being repeatedly socially-engineered by a bad-guy.
    • Two Factor Authentication: not a panacea
    • 44. Two Factor Authentication: notes
      When I first prepared this presentation I was prepared to talk about an unexploited weakness of two-factor authentication, but in the four weeks since writing the talk (and delivering it to a test-audience of University of Washington students) a cybercriminal had already implemented and successfully deployed an attack program.
      It’s not a true “man-in-the-middle” exploit of two-factor authentication. Instead, the hacker manages to get a Trojan program installed on a gamer’s computer, and that program intercepts the security value intended to be used to authenticate the user, redirecting it to one owned by the hacker.
      What we need is two-channel authentication, for example, logging into both the game client and via a mobile phone to securely authenticate through two channels instead of just through two-factors.
    • 45. Other possible solutions: notes
      Stop designing exploitables and stop coding bugs?
      • Not possible!
      Legal solutions?
      • Blizzard was able to shut down BNetD (a battle.net clone) and WoW Glider (a game automation tool) but it isn’t an ideal solution. Not only is such a solution expensive as well as being ineffective outside of first-world countries, it’s also icky from an ethical perspective: the legal tools used to fight these cases – like the DMCA – have strengthened the rights of corporations at the expense of our rights as citizens.
    • Other possible solutions: notes
      Protect the game client using something like GameGuard or Warden?
      • Here are some examples of problems that have occurred in games that could potentially be defeated with client-side checking:
      World of Warcraft validated the altitude of the character on the game client; hackers could bypass that code to stand on tree branches, and fire spells down upon melee characters who couldn’t reach them.
      Aion validates the speed of animations, like running and sword-swinging, on the game client; by altering the animation speed values hackers could radically increase the rate of characters traveling around the world and the rate at which they can attack enemy mosters.
      • These hacks are great for griefers, PVP cheaters, and gold-farmers, so it’s obviously necessary to stop them! Let’s try executable packers, anti-debugging code, executable self-validation, in-memory checksums, process-monitoring, registry-reading, and rootkits!
      • 46. Here are some examples hackers can use to perform speed hack in games that check animation speed on the client:
      Alter the return value from the “GetAnimationSpeed” function in the game code (the actual speedhack exploit in Aion).
      Hack places in the game that use the results of GetAnimationSpeed.
      Hack the animation data files to alter the animation speed.
      Change the data-file loader so that speeds are altered when the animation data files are loaded into memory.
      Set a hardware breakpoint to modify registers that contain the animation speed before it is used.
      Run the cheat code inside a separate process and periodically alter process memory.
      Run the cheat code in a rootkit or inside the processor hypervisor to make it undetectable.
      Don’t allow the monitor code to scan for alterations; modify page table entries so that the monitoring code "sees" the original, unaltered code, but the processor reads the modified (hacked) code.
      • Well shoot, all those mechanisms are invasive of users privacy, lead to system crashes, create false positives when working with some keyboard/mouse drivers, drive virus detectors crazy, and aren’t even successful at stopping the problem. See, detecting hacking is asymmetric warfare: hackers can hack all they want, but developers have to figure out how to detect and then prevent the hacking. In the meantime hackers can come up with new methods!
    • Other possible solutions: notes
      Use an authoritative server!
      • The right approach to solving game hacks is to use an authoritative server. For example, if the server is aware of – and enforces – animation timing, then modifying values on the client system ultimately has no effect.
      • 47. Note that in some cases you may decide that the extra effort is not required for the game you're making: e.g. games for young kids.
       
      Make systematic measurements of the game environment:
      • Your game should be instrumented with code that logs “interesting” events. These events can be used to measure the amount of time players participate in various activities, how successful they are at harvesting gold and other resources, how much progress they’re making through the game, and where the most rewarding (and most deadly) areas of the game are. Using this data it is possible to construct reports that evaluate the likelihood that a players is a gold farmer. Make sure that your game is measuring useful information, but not so much that it overwhelms your analytics system. Collecting too much data is just as bad as collecting too little. If your system is spending all its time logging sword-swings you won’t have enough bandwidth left over to analyze the data.
    • Other possible solutions: notes
      Prepare to correct bugs rapidly using rapid build iteration and deployment:
      • I spent approximately one year (spread out over the development cycle) working on the build server, build tools, file-packing tools, revision-control-system integration, delta-file-patching, file-servers, game-server loaders and other components associated with building and deploying Guild Wars, and other programmers contributed substantial efforts in building additional components (delta-compression libraries, art-processing tools, etc.). But this work enabled the GW dev team to correct a defect in the source code, initiate a build process, and have the build deployed to end users in roughly five minutes. We averaged approximately 20 builds per work-day over the almost four-year external alpha test cycle prior to the launch of the game. We got really practiced at writing and deploying code “live” to users. This enabled us to avoid “patch paralysis”, which prevents some teams from correcting defects: the team fixes a patch, puts it into a full test-cycle, then fixes another bug, restarts the test-cycle, etc. I’ve seen some patches take months to release due to this cycle.
      Be prepared to roll back your game database when you discover a serious exploit!
      • You must have regular, reliable reports about the state of the game world and its associated economy. These reports must be read on a regular basis; you can’t come in Monday morning and discover that it’s necessary to roll the game back to Friday night, as it will piss off your users!
      • 48. If your operations team hasn’t practiced a rollback, the likelihood is that you won’t be able to roll back; your backup process is probably broken.
    • Other possible solutions: notes
      You must read security advisories for the software your company is using!
      • Curse.com was recently exploited because they were using out-of-date forum software that had known (published) security advisory.
      • 49. Some software is buggier than others (I’m looking at you, PHP); make sure that you stay current.
      Think about protecting players from common mistakes exploited by hackers!
      • Don’t allow the use of common passwords
      • 50. Make sure that security questions actually provide some security
      • 51. Protect user information diligently with good information-security policies, strong cryptography, and good operational practices.
    • Conclusion
      To ensure success you must prepare for failure: expect to be hacked
      Your security team needs to see into all areas of the business
      Security through obscurity is not security
      Defense in depth
      Continually monitor and improve game security; it’s never “done”
      Good luck!
      Developers vs. Cybercriminals is a case of co-evolution. As gazelles run faster, cheetahs adapt or die. We similarly have to expect that criminals will evolve their methods. And, as the German general von Moltke said "no battle plan survives first contact with the enemy.”
    • 52. Questions?