Ведущие: Роман Казанцев, Максим Вафин и Андрей Сомсиков
Разработка чит-кодов к различным сетевым играм со временем превратилась в прибыльный бизнес. С помощью внедренных чит-кодов можно анализировать данные памяти и собирать статистику об игроках. На примерах из игры Unreal Tournament 4 докладчики расскажут о методах борьбы с подобным читерством, основанных на запутывании кода.
This document contains detail information about the srs of a android game. This document contains all the resources needed to develop a game srs. The format of the document was given by ER Pratik Adhikari Software Engineering Course Lab Instructor and Class Teacher,ACEM,Nepal.
Ведущие: Роман Казанцев, Максим Вафин и Андрей Сомсиков
Разработка чит-кодов к различным сетевым играм со временем превратилась в прибыльный бизнес. С помощью внедренных чит-кодов можно анализировать данные памяти и собирать статистику об игроках. На примерах из игры Unreal Tournament 4 докладчики расскажут о методах борьбы с подобным читерством, основанных на запутывании кода.
This document contains detail information about the srs of a android game. This document contains all the resources needed to develop a game srs. The format of the document was given by ER Pratik Adhikari Software Engineering Course Lab Instructor and Class Teacher,ACEM,Nepal.
GDC Next 2013 - Synching Game States Across Multiple DevicesDavid Geurts
Saving players' game states across multiple devices can be tricky, especially if you allow offline play. Many games make the user choose between states when play is detected on a different device. Users can easily make mistakes that erase hours of progress. While developing Tunnel Town, we hit upon an elegant solution that can help you deliver a more polished user experience without the hassle of complicated code. The average profitable lifetime of a mobile game is six months. Learn how to architect your servers so they can be reused for multiple projects with a simple approach that scales easily.
How to 2FA-enable Open Source Applications (Extended Session)
Presented at: Open Source 101 at Home 2020
Presented by: Mike Schwartz, Gluu
Abstract: Your organization loves open source tools like Wordpress, SuiteCRM, NextCloud, RocketChat, and OnlyOffice... but most of these tools are protected with plain old passwords. You want to use two-factor authentication... but how? In this workshop, you'll learn:
- Which 2FA technologies can be used without paying a license;
- How to enable users to enroll and delete 2FA credentials;
- How to configure open source applications to act as a federated relying party--delegating authentication to a central service
- How custom applications can act as a federated relying party
A game server has the authoritative distribution of events in a multiplayer online game. The server transmits enough records about its inner state to permit its linked clients to hold their own accurate version of the game world for display to players. They additionally get hold of each player’s input. The main goal of this project is to create a role play server which provide provision to customize almost anything in the game to their preferences. Like shops, landmarks, vehicles, so as to make the environment more realistic. Subramanian PR | M Ganeshan "Developing and Hosting Game Server on Cloud" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-4 , June 2021, URL: https://www.ijtsrd.compapers/ijtsrd42428.pdf Paper URL: https://www.ijtsrd.comcomputer-science/other/42428/developing-and-hosting-game-server-on-cloud/subramanian-pr
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the 11th Annual Northern Kentucky University Cybersecurity Symposium on 10/12/2018.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the Ohio Information Security Forum (OISF) Anniversary Conference on 07/14/2018 in Dayton, Ohio.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
Mobile binary code - Attack Tree and MitigationSunil Paudel
This paper proves that the mobile app's binary code is at risk. Anyone can retrieve the binary source code using the free tool like apktool. In the paper, the authors have come up with an attack tree to steal the binary code of the android mobile app doing the reverse engineering and have given the mitigation as well. The paper also has a demo where the authors have exposed the binary codes using the tool named apktool. Just for an educational purpose, the authors changed the icon of the mobile app, rebuild it using their own private key and installed it back in the android phone.
Six Strategies for Protecting Mobile Games Against Hackers, Crackers, and Cop...AppSolid by SEWORKS
Our own original Gamasutra post: goo.gl/7HVCIQ
SEWORKS explain six most common hacks that game developers encounter and and provides solution options available.
*AppSolid: One-stop complete binary protection solution
With the right skills, tools and software, you can protect yourself and remain secure. This session will take attendees from no knowledge of open source web security tools to a deep understanding of how to use them and their growing set of capabilities.
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at MozillaDevDay.org
The talk will be including the following:
– The importance of Web Security
– Discussing latest release of OWASP Top 10 2017 vulnerabilities
– Discussing available open source security tools such as OWASP ZAP, Vega Scanner, Open VAS, Nikto and Uniscan
– Live Demo
– Q&A
Over the years, password management software has evolved from a simple self-service web application to reset forgotten passwords to a complex platform for managing multiple authentication factors and encryption keys.
This document describes the technological evolution and highlights the product capabilities that organizations should consider in order to have a lasting value from their investment.
In part, this document questions the benefits of investing in point solutions with limited functionality and expansion capabilities and in favor of investing in a platform capable of addressing both short- and long-term needs.
Sections:
- In the Beginning: A Simple Problem
- Proliferation of Passwords
- Locked-out Users, Mobile Users and Cached Passwords
- Multi-Factor Authentication: Smart Cards and Tokens
- Public Key Infrastructure and Encrypted Key Files
- Full Disk Encryption
- User Enrollment and Adoption
- Privileged Accounts and Passwords
- The Future
http://hitachi-id.com/
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
How to find vulnerable code in your Drupal project?
Different attacks and how to protect your site?
What to do if you find security problem in code/site?
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the BSides Cleveland Information Security Conference on 06/23/2018 in Cleveland, Ohio.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
Cloud gaming infrastructure in cloudretro.ioTh Nguy?n H?u
CloudRetro is a Web-based opensource Cloud Gaming service. The slide will go through its infrastructure and technology and explain how it can deliver the best gaming experience through cloud technology and streaming.
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
Slides from a SiteGround webinar by SiteGround Joomla Performance Guru, Daniel Kanchev. He reveals the 8 most common ways a Joomla website can get hacked and what you can do to protect yourself from each of those hacks.
Outdated Extensions & Themes
Vulnerable Extensions & Themes
Stolen or Weak Login Details
Outdated / Vulnerable Server Software
Incorrectly Configured Web Server
Vulnerable Joomla on a Host Server
Incorrect Joomla Permissions
Local PC Malware
GDC Next 2013 - Synching Game States Across Multiple DevicesDavid Geurts
Saving players' game states across multiple devices can be tricky, especially if you allow offline play. Many games make the user choose between states when play is detected on a different device. Users can easily make mistakes that erase hours of progress. While developing Tunnel Town, we hit upon an elegant solution that can help you deliver a more polished user experience without the hassle of complicated code. The average profitable lifetime of a mobile game is six months. Learn how to architect your servers so they can be reused for multiple projects with a simple approach that scales easily.
How to 2FA-enable Open Source Applications (Extended Session)
Presented at: Open Source 101 at Home 2020
Presented by: Mike Schwartz, Gluu
Abstract: Your organization loves open source tools like Wordpress, SuiteCRM, NextCloud, RocketChat, and OnlyOffice... but most of these tools are protected with plain old passwords. You want to use two-factor authentication... but how? In this workshop, you'll learn:
- Which 2FA technologies can be used without paying a license;
- How to enable users to enroll and delete 2FA credentials;
- How to configure open source applications to act as a federated relying party--delegating authentication to a central service
- How custom applications can act as a federated relying party
A game server has the authoritative distribution of events in a multiplayer online game. The server transmits enough records about its inner state to permit its linked clients to hold their own accurate version of the game world for display to players. They additionally get hold of each player’s input. The main goal of this project is to create a role play server which provide provision to customize almost anything in the game to their preferences. Like shops, landmarks, vehicles, so as to make the environment more realistic. Subramanian PR | M Ganeshan "Developing and Hosting Game Server on Cloud" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-4 , June 2021, URL: https://www.ijtsrd.compapers/ijtsrd42428.pdf Paper URL: https://www.ijtsrd.comcomputer-science/other/42428/developing-and-hosting-game-server-on-cloud/subramanian-pr
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the 11th Annual Northern Kentucky University Cybersecurity Symposium on 10/12/2018.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the Ohio Information Security Forum (OISF) Anniversary Conference on 07/14/2018 in Dayton, Ohio.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
Mobile binary code - Attack Tree and MitigationSunil Paudel
This paper proves that the mobile app's binary code is at risk. Anyone can retrieve the binary source code using the free tool like apktool. In the paper, the authors have come up with an attack tree to steal the binary code of the android mobile app doing the reverse engineering and have given the mitigation as well. The paper also has a demo where the authors have exposed the binary codes using the tool named apktool. Just for an educational purpose, the authors changed the icon of the mobile app, rebuild it using their own private key and installed it back in the android phone.
Six Strategies for Protecting Mobile Games Against Hackers, Crackers, and Cop...AppSolid by SEWORKS
Our own original Gamasutra post: goo.gl/7HVCIQ
SEWORKS explain six most common hacks that game developers encounter and and provides solution options available.
*AppSolid: One-stop complete binary protection solution
With the right skills, tools and software, you can protect yourself and remain secure. This session will take attendees from no knowledge of open source web security tools to a deep understanding of how to use them and their growing set of capabilities.
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at MozillaDevDay.org
The talk will be including the following:
– The importance of Web Security
– Discussing latest release of OWASP Top 10 2017 vulnerabilities
– Discussing available open source security tools such as OWASP ZAP, Vega Scanner, Open VAS, Nikto and Uniscan
– Live Demo
– Q&A
Over the years, password management software has evolved from a simple self-service web application to reset forgotten passwords to a complex platform for managing multiple authentication factors and encryption keys.
This document describes the technological evolution and highlights the product capabilities that organizations should consider in order to have a lasting value from their investment.
In part, this document questions the benefits of investing in point solutions with limited functionality and expansion capabilities and in favor of investing in a platform capable of addressing both short- and long-term needs.
Sections:
- In the Beginning: A Simple Problem
- Proliferation of Passwords
- Locked-out Users, Mobile Users and Cached Passwords
- Multi-Factor Authentication: Smart Cards and Tokens
- Public Key Infrastructure and Encrypted Key Files
- Full Disk Encryption
- User Enrollment and Adoption
- Privileged Accounts and Passwords
- The Future
http://hitachi-id.com/
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
How to find vulnerable code in your Drupal project?
Different attacks and how to protect your site?
What to do if you find security problem in code/site?
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the BSides Cleveland Information Security Conference on 06/23/2018 in Cleveland, Ohio.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
Cloud gaming infrastructure in cloudretro.ioTh Nguy?n H?u
CloudRetro is a Web-based opensource Cloud Gaming service. The slide will go through its infrastructure and technology and explain how it can deliver the best gaming experience through cloud technology and streaming.
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
Slides from a SiteGround webinar by SiteGround Joomla Performance Guru, Daniel Kanchev. He reveals the 8 most common ways a Joomla website can get hacked and what you can do to protect yourself from each of those hacks.
Outdated Extensions & Themes
Vulnerable Extensions & Themes
Stolen or Weak Login Details
Outdated / Vulnerable Server Software
Incorrectly Configured Web Server
Vulnerable Joomla on a Host Server
Incorrect Joomla Permissions
Local PC Malware
Peak Prevention: Moving from Prevention to ResilienceDaniel Miessler
We're all familiar with Peak Oil--a concept that says there's a limit to how much oil we can produce, after which point production must decline and new energy sources must be found.
This talk explores the concept of Peak Prevention. This is the idea that there is only so much prevention that can be applied when defending systems from attack, after which point other methods of risk reduction must be employed.
We'll explore the question of how close we are to Peak Prevention currently, and what other approaches to risk reduction we may be available to us.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
5. Structure
• Normal, English sentences that are used to describe the
entire scenario
• Each sentence contains placeholders for the various parts
of the risk
malicious competitor attacks the server-side and takes
advantage of limited server-side bandwidth and uses ddos
to cause extreme lag that lets them win a match, resulting
in frustrated users not playing the game anymore, which
could have been avoided using ddos protection.
5
7. Semantic Structure
Actor attacks Attack Surface and uses
Exploit to take advantage of
Vulnerability to try to achieve their
Goal, resulting in Negative Outcome,
which could have been avoided by Defense.
7
9. Ping + Teleport
9
1. Mess with your own connection
2. Server starts reporting your location sporadically
3. Allows you to pass through objects
4. BONUS: Avoid being attacked because you’re like a ghost
Player attacks the network and takes advantage of throttling and uses
connection degradation to cause extreme lag that lets them avoid harm,
resulting in frustrated users not playing the game anymore, which could
have been avoided using better code.
10. Moar Mosters
10
1. When logged in as an admin there are options to do lots of
things, like call monsters
2. Players figure out they can execute admin commands as well
(only the menu was missing)
3. They get in nasty PvP and call in tons of nasty mobs to crush
enemies
Player attacks the server and takes advantage of client-side filters and
uses hidden admin commands to cause in game chaos that lets them survive
pvp, resulting in frustrated users not playing the game anymore, which
could have been avoided using server-side controls.
11. Midnight Store
11
1. Game bugs required the server to be restarted at
midnight
2. If you were in the middle of a trade when the server
went down, both players got both sides of the trade
Player attacks the game and takes advantage of logic bug and uses
knowledge of bug to cause item duplication that lets them unfairly
increase loot, resulting in less need to buy things, which could have been
avoided using better code.
12. Marvel at my DC
12
1. Play a Star Wars game on Android
2. Go into Airplane Mode in the middle of the game
3. Run Android hack to automatically win
4. Reconnect, advance on the ladder
Player attacks the client and takes advantage of local hack and logic flaw
and uses local hack to cause unfair ladder win that lets them, resulting in
ladder chaos, which could have been avoided using better code.
13. Ooh Sparkly
13
1. Launching lots of graphics-intensive actions could cause frame
rate drops
2. People load up on the most graphics-intensive combos and fire
them off if they’re attacked
3. Nobody could kill them because they could run away while their
game is lagging
Player attacks the client and takes advantage of resource constraints and
uses knowledge of bug to cause unfair pvp advantage that lets them avoid
death during pvp, resulting in angry players and fewer users, which could
have been avoided using better code.
14. Pink Unicorns
14
1. Players find hidden coordinates in network stream data
2. They hack the client to show hidden items on the map
3. They find hidden players and items before everyone else
4. PK or dramatically improved farming
Player attacks the client and takes advantage of client-side filters and
uses client modification to cause see hidden content that lets them pk and
farm, resulting in frustrated users not playing the game anymore, which
could have been avoided using client integrity validation.
15. Dishonorable Mentions
15
1. Convincing players to download a mod so we can “powerlevel you”.
2. Changing your username to look like a GM, and telling people to give you their items
(for safe keeping).
3. Multiple buff stacking due to race conditions / logic flaws.
4. Death / looting issues that allow you to loot dead bodies and get their gear without the
person losing the gear when they respawn.
5. Numerous DC logic flaws, where fighting, looting, purchasing is all broken when you
DC your connection. As a developer, how would you handle it?
6. Powerleveling service takes your account for a day or so and you soon get a notification
that you’ve been banned (they used you for money laundering).
7. …etc, etc.
17. Mobile Cover Clipping
17
1. Use of a skill (Mobile Cover) allows players to skip
content
2. Skipping content allows after farming rates of bosses
Player attacks the client and takes advantage of Game Mechanics and uses
knowledge of bug to skip content that lets them farm items faster,
resulting in angry players and fewer users, which could have been avoided
using better code.
19. instancing and
checkpoints
19
1. Players able to enter a different area (instance) to re-
spawn bosses
Player attacks the client and takes advantage of Game Mechanics and uses
knowledge of bug to skip content that lets them farm items faster,
resulting in angry players and fewer users, which could have been avoided
using better code.
21. buff/talent stacking
21
1. switching gear rapidly caused buffs or talents to “stack”
allowing using talents to gain 1 shot kills, infinite money
of headshots, etc.
Player attacks the client and takes advantage of Game Mechanics and uses
knowledge of bug to Gain In-game Currency and Enhance Gear, resulting
in angry players and fewer users, which could have been avoided using
better code.
26. Future State
26
• Moar Bugz (crowdsourced)
• Continuous improvement of schema
• Additional ideas for improvement
27. Next Steps & Help
27
• If you know any game bugs, you can help out at this location:
https://docs.google.com/spreadsheets/d/
1Og08wyHsqtODBDkU_M2zHAvdxc63GSu-OmT8NjCc9Ak/
edit#gid=0
• We also just started a Slack channel, in case you don’t already
have enough of those.
28. Thanks & Contact
28
• Jason Haddix
Bugcrowd
@jhaddix
• Daniel Miessler
IOActive
@danielmiessler
https://www.owasp.org/index.php/
OWASP_Game_Security_Framework_Project