SAN FRANCISCO--It will likely come as no surprise to anyone familiar with virtual worlds and online games that they can be hacked. But what might come as a shock is the sheer breadth of types of exploits that are possible.
That was the broad message of a Thursday panel called, appropriately, "Exploiting Online Games" at the RSA 2009 security conference here.
Moderated by Gary McGraw, CTO of software security consulting firm Cigital and an author of several books, the panel took the audience on a deep dive into the diverse ways that hackers and others have figured out to either skim real money or to gain game play advantages not available to normal players.
McGraw opened the panel with a brief explanation of the fact that there are real, functioning economies in virtual worlds and online games, and that players cash in their virtual goods for real money, to the tune of more than $1 billion a year. This, of course, is old news to those in game playing circles, but for many of the security experts in the room, it may well have been eye-opening.
And, McGraw said, it's the very fact that real money is at stake that often gets otherwise uninterested game players to pay attention to the security risks they face every day.
"There's a whole bunch of normals (those not steeped in knowledge about computers) using games, and they don't care about security," McGraw said. "But they like their stuff, (and) when their stuff gets taken, that really hurts the hell out of them. That's a way to start a conversation about computer security with normals, because almost everybody knows somebody who plays online games."
The first panelist to present was Greg Hoglund, the founder of Rootkit.com and the CEO of the consulting firm, HBGary. He explained that online games are regularly under attack by two discrete types of cheats: exploits--actual bugs in games that clever hackers have figured out how to mine in various ways, and bots, which are essentially automated macros that can be used to perform mundane tasks again and again and again, and very profitably.
The bugs, Hoglund said, often exist "at the borders of systems," and are used for things such as duplicating gold, or leveraging poor synchronization between back-end databases to extract money out of a game economy or even to gain teleportation powers that otherwise don't exist.
Hoglund also recalled a security expert who figured out a hack that allowed him not only to filch Second Life users' virtual currency--which is directly convertible to US dollars--but also to get ahold of users' credit card information and then use it to buy more of the currency to trade in. That exploit, Hoglund explained, was done only to prove that it could be done, but it underlined some of the significant risks facing players of online games and virtual worlds with functioning economies, as well as the publishers of those titles.
He also talked about bots, and explained that they, too, are often employed to gain an advantage most players don't have. They are almost universally prohibited, but Hoglund said creating them and using them is remarkably easy for those who know what they're doing. And he talked about one he had written to use in World of Warcraft that allowed his character to stay safe from attack from the rear, while also luring in loot-bearing enemies to kill. Once killed, the enemies would be regenerated by the bot, allowing Hoglund's character to kill them and pick off all their loot over and over again, a process that netted him significant profit, he hinted.
Similarly, he explained that games like World of Warcraft have vulnerabilities that allow savvy hackers to tap into the games' code, allowing for all kinds of new abilities, like being able to perform 15 charms at once, not available to the public at large.
Hoglund said companies like WoW publisher Blizzard are always actively trying to stop players from employing bots and ban those they catch, but added that for those who know what they're doing, detection is not something to worry about. And that, of course, is one of the explanations behind the so-called gold "farmers," often teams working in third-world countries whose job it is to run multiple accounts simultaneously, usually employing bots to perform gold-earning tasks and essentially just making sure that their in-game characters don't get "lodged in a tree."
Courts weigh in
Next up was Sean Kane, a partner with the New York law firm of Drakeford & Kane, and a leading voice on issues surrounding the law and virtual worlds.
Kane talked about two specific cases, one that is several years old and one that is much more recent.
The older case, Bragg v. Linden Research, focused on whether Linden, the publisher of the virtual world Second Life, was right to shut down the account of a user who had discovered an exploit allowing him to buy virtual land at below-market prices. Mark Bragg, the plaintiff, demanded $8,000 in restitution and eventually won a settlement from Linden in which his account was reinstated. But that only happened, Kane pointed out, after a federal judge ruled that the arbitration clause in the Second Life terms of service was onerous and one-sided.
At the time, the entire virtual world community had been watching the case closely, as many thought it would be the case that for the first time established the real-world value of virtual goods (and despite the fact that Bragg, himself a lawyer, had filed his suit in state court with a hand-written form), However, the settlement, not long after the federal judge's ruling, side-stepped that outcome.
But what many found interesting at the time was that Bragg had argued his hack was fair game, since all he did was exploit a feature hidden in the Second Life code. In effect, Bragg argued, code is law, and anything that players can do with the tools at their disposal is legitimate. Linden obviously disagreed, but ended up settling anyway.
Kane also focused on another case, MDY Industries v. Blizzard, in which MDY had created a bot, called Glider, that allowed players to level-up their characters without even having to be playing.
Blizzard sued for copyright infringement, arguing that bots like Glider were prohibited under its end-user license agreement (EULA) and that only that license actually allowed players to run WoW. In essence, the argument said that by running WoW under circumstances that violated the EULA, Glider was supporting copyright infringement.
Ultimately, though many argued that Blizzard's argument was beyond specious, the courts ruled in favor of the publisher, awarding it $6 million. But, not surprisingly, the outcome is on appeal.
Hacking Disney
Aaron Portnoy, a researcher with Tippingpoint security research, took the microphone next and talked briefly about his experiences hacking the Python code of the Disney online game, Pirates of the Caribbean. He explained that because Python is a dynamic language, he and a colleague had needed just a couple of days to reverse-engineer all of the game's code, and were able to use their exploit to get their in-game characters to do things that were otherwise impossible.
During a panel on exploiting online games, Tippingpoint's Aaron Portnoy talked about how he and a colleague discovered that Disney's online game Pirates of the Caribbean was written in Python, a language that allowed them to reverse-engineer the game's code in just two days. The result was that Portnoy's character was able to fly high in the sky, whereas everyone else in the game was limited to jumps of just four feet high.
(Credit: Daniel Terdiman/CNET Networks)For example, Portnoy said, he was able to easily get his character to jump high in the air, while the standard maximum jump was just about four feet. Or, to jump out of a pirate ship, walk on water at a speed faster than sailing ships in the game could travel, and attack at will.
"Everybody could see my guy jumping over buildings for miles," Portnoy said.
And, given how easy he and his colleague found it to reverse-engineer the code, Portnoy said, "It's almost like (Disney) didn't even consider security."
Gaming the games
Last up was Avi Rubin, a professor of computer science at Johns Hopkins. He talked, also relatively briefly, about how easy it is for some cheaters to exploit the game of online poker.
Essentially, Rubin argued, a hack called a Sybil attack--which employs fake people participating in games--makes it possible for online poker players to gain a big advantage over their opponents. That works, he said, by making it possible for a single player to control multiple hands in a game, allowing that person to see more cards than they would otherwise, and get a better handle on the odds of their own hand.
For example, he said, in a game of Texas Hold'em, a player employing a Sybil attack on an online poker game could control multiple hands and see things like whether the fives or eights they need to complete a full house and beat an opposing player's flush had already been played.
Rubin's point, then, was that game operators need to work harder at identity management, in order to keep players from employing such exploits. He didn't, however, offer any solutions as to how to do that.
All told, the panelists made it clear that just about any kind of online game or virtual world--especially those where money is on the line--is subject to some kind of hack or exploit, and that for those with the skills to launch such attacks, the barriers stopping them are easily surmountable.
The lesson, then, is that publishers of such games need to think harder about how to manage their players' actions and expectations. Otherwise, players may find themselves in games that are so compromised that the economies collapse and the fun disappears.
Virtual world Second Life has put in effect some new measures to keep adult content away from users who might not want to run into it. Or fly into it, as avatars might do.
Later this year, parent company Linden Lab will create a standalone "continent" for adult content, and members who don't purchase private "land" will be asked to migrate there if they wish to partake in adult-related activities. Second Life is an 18+ environment already, but stricter age verification policies will be put in place. You'll need a "verified" account, either through credit card information or through Linden Labs' filtering system, to get into the adult "continent."
Members will be asked to start flagging content as adults-only as part of a new content rating system, which will start to roll out in an update to the downloadable Second Life client that will be available next week.
"The people that are on our mainland and in our estate, if they are going to engage with adult content, are being asked to do that in the adult content area," said Cyn Skyberg, vice president of customer relations at Linden Lab. "Private land owners will be asked to tag their searches for adult-related listings so that it goes into the adult filter."
So what does this mean for Second Life, which was briefly a marketers' paradise before swifty falling from grace in the Silicon Valley pecking order? Well, it'll help make it a friendlier environment for some of the new "residents" whom Linden Lab hopes to woo. The company is profitable, due largely in part to the sheer volume of virtual goods and transactions made on the platform by loyal users, and Linden Lab sees corporate and academic institutions as an area for future growth. Keeping porn in its place could be good for P.R.
"A portion of this will be perceived as definitely being more corporate- and educator-friendly because you'll have more control over the things you're experiencing," Skyberg said.
Updated at 6:15 p.m. PDT with correct list of companies that have signed on to test the software.
After it made headlines last week for yet another executive leaving the company, you'd really think things couldn't get much worse for virtual world Second Life and its parent company Linden Lab.
The marketing hype--it's the next Internet!--bottomed out long ago. There was a wave of unflattering press, from virtual terrorism to technical problems to banking scandals. Even the NBC sitcom "The Office" jumped on board, lambasting Second Life with an episode in which Dwight Schrute, the show's archetypal "creepy nerd," professed his addiction.
"I signed up for Second Life about a year ago," Schrute, played by actor Rainn Wilson, explained with his usual dweeby pomposity. "Back then, my life was so great that I literally wanted a second one."
Riding a flying Segway in Second Life.
(Credit: Linden Lab/Screenshot by Caroline McCarthy)This month's departure of Ginsu Yoon, vice president of corporate development, follows the exits of high-profile executives like chief technology officer Cory Ondrejka and eventually founder and CEO Philip Rosedale. In a post on the Linden Lab blog, Yoon called it "a graduation of sorts for the company and for me...great companies evolve their management around the reality that experienced executives enjoy different stages of company development."
Sunny spin, sure. But this might be one instance where a major executive shake-up could actually be a positive sign.
True to its reputation as a haven for utopian dreamers, Second Life's original executive team wasn't entirely in touch with the business side of things. "I describe it as sort of like being in a Berkeley commune and if the kitchen catches on fire you have to take a vote before you put it out," said Wagner James Au, author of "The Making of Second Life: Notes from the New World," who was employed as a contractor at Linden Lab in 2006.
Philip Rosedale's replacement, announced just over a year ago, was digital-strategies veteran Mark Kingdon. Critics took this as a move that Linden Lab meant business, and the sands shifted internally as well.
"It's got less of that start-up feel," Au said of Linden Lab, which now employs more than 300 people. "The big shift in corporate culture happened after Philip left, and after he stepped down as CEO and then took a chairman role."
Linden Lab representatives do not disclose financials, but they say that Second Life is profitable. Mark Kingdon explained in an interview with CNET News that he estimates user-to-user monetary transactions in Second Life may hit $450 million in 2009, up from $350 million. "(Revenue) comes from land maintenance fees, fees from the 'Lindex,' which is where people trade our micropayment currency, and also from the sales of Linden Dollars themselves," Kingdon said, "and some other sources like in-world advertising and e-commerce, where we recently made a couple of acquisitions."
Herein lies the heart of the matter. Second Life might have earned a reputation as a nexus of odd subcultures, but its primary sources of revenue--a virtual currency, micropayments, an array of virtual goods--fit right into the social Web's business model du jour. Facebook, for example, has been ramping up the focus on its virtual gift application, and is testing a new product in which members can purchase credits simply as street-cred points that they can dole out to their friends.
The system is there in Second Life, and in spite of what the media has concluded, it seems to be alive and humming, even if it's still relying on virtual-world enthusiasts rather than blue-chip marketers. More importantly, what Linden Lab seems to finally be recognizing is that Second Life needs some permanent institutions before it can hope for an influx of people.
Corporate participation is key
The burgeoning space known as "Enterprise 2.0" may turn out to be Second Life's real cash cow. While many marketing campaigns that went into the virtual world have since pulled out or lie fallow, IBM, which has had a presence in Second Life since late 2006, hasn't given up. There are more than 50 IBM regions, or "sims," in Second Life now, including sales and marketing centers, and IBM has been working with Linden Lab to develop and test a behind-the-firewall environment for workplace collaboration and training. Intel, Northrop Grumman, and the U.S. Naval Undersea Warfare Center have also signed on to test the software.
"Businesses are finding great value in collaborative tools and virtual learning, and I think it's going to be an incredibly powerful platform," Kingdon said. Having a more business-savvy executive team--which recently added veterans of Adobe, Pixar, and Intuit to its ranks--is key.
The corporate participation is crucial because you can't just throw individuals into Second Life the way you can into a social network or a role-playing game that has clear aims and instructions.
"It's like trying to learn World of Warcraft and Photoshop at the same time," Wagner James Au said, adding that Second Life's once crash-prone software is "slowly getting better" as new development goes on. "You go in and there's generally a bizarre menagerie of creatures, and it's just kind of overwhelming for people and there's not any specific goal. That's kind of the whole design of Second Life: you want this free-form world where you can do anything. But it's sort of that paralysis of choice that economists talk about. When you have way too many choices, a lot of people just kind of get frozen."
Au, who continues to keep close tabs on Second Life at the blog New World Notes, estimates its current active user count to be 650,000, and said that it's finally starting to grow again after a period of stagnation. Over half of its users are now outside the U.S.
"We had really terrific active user growth that started nicely in the middle of last year," CEO Mark Kingdon said. "In the last week of March, users spent more than ten million hours in Second Life, and that's up from six and a half million in the same week a year ago."
The organized groups slowly gravitating toward Second Life as a platform aren't restricted to companies, though. "There's a mini-MMO within Second Life called Bloodlines that's like a vampire role-playing game. It's got, like, 40 to 60,000 users in it," Au said. "It's gotten complaints, because to advance as a vampire you have to infect other people so they've been showing up in (virtual) shopping malls and fashion shows and started biting people."
Dwight Schrute had better watch his back--or neck.
q&a Mark Kingdon became Linden Lab CEO in May, when founder Philip Rosedale stepped aside to take a more active role in developing Second Life.
The hype surrounding virtual worlds a year ago appears to have died down in recent months, but when Silicon.com caught up with him, Kingdon was keen to point out that there's still life in Second Life.
Mark Kingdon's Second Life avatar
(Credit: Linden Lab) Q: What's happened to the hype?
Kingdon: It would be a huge mistake to assume hype and success are interchangeable. Hype is born from anticipation, intrigue, and excitement, and as such, it naturally settles down as any product matures. Take the iPod or the Nintendo Wii as examples.
Second Life, which launched with real fanfare, has now cemented its place as a significant part of popular culture. Sure, the hype has died down a bit, but I'd gladly trade short-term hype for the continued long-term success we're seeing.
I joined Linden Lab three months ago as CEO for the reason that it's a company only now starting to realize its full potential.
Has Second Life use leveled out?
Kingdon: Use of Second Life is nowhere near leveling out. In the last month, the Lindex currency exchange saw record-breaking levels of trade in Linden Dollars, hitting 120 million Linden Dollars on just one day in August alone. There's no credit crunch in Second Life!
We are also seeing a wide variety of use cases on the (Second Life) grid and a far greater level of resident engagement. All the signs are good.
Are businesses still investing in Second Life?
Kingdon: Businesses are investing in Second Life real estate and engaging with the Second Life grid more than ever before. Check out what the BBC, BT, Cisco, Diageo, IBM, KPMG, Orange, Unilever, and Vodafone are doing.
What are they using it for?
Kingdon: What I would say is that there has been a real shift in use by businesses. Initially, many businesses saw it as a shop window or a billboard. It was all about the eyeballs. The thinking went, if you've got over 14 million registered residents, it made sense to get your brand in front of those people.
But now businesses are looking to engage, not just display. So we see recruitment fairs taking place, product demonstrations, and companies using Second Life for in-world meetings, training sessions, and collaboration.
We're also seeing real public-sector interest, with universities really buying into the potential to get students meeting, collaborating, and communicating in-world.
Organizations are now really starting to see the full potential of virtual worlds like Second Life.
What are the big trends emerging in virtual worlds?
Kingdon: There is a major move away from simply "being there" to making that presence a very real and strategic part of the business.
When the Internet came along, a lot of businesses realized they needed to have a Web site. But for many, it was a few years before they really started to wonder about what they should actually be doing with it.
The timescales with Second Life are dramatically shorter, but we are still only now seeing for ourselves just how big this could be. Take the example of universities. They cannot only hold lectures and seminars in-world, but they can also create fully interactive, immersive environments where students can communicate with tutors and professors, and explore virtual-learning tools.
Businesses, meanwhile, are using Second Life to get closer to their customers but also to staff. Everything from internal meetings to product showcases to the development of prototype models is happening right now in-world. In the last few weeks, I've even heard about movie studios creating sets in-world to plan scenes and logistics before building on a real-life sound stage.
Businesses are now really exercising the full scope of their creativity, and the great thing about this is that the only limit is their own imagination and ambition. That is the great benefit of the Second Life grid. It's a blank canvas of almost infinite potential.
What challenges does Second Life face?
Kingdon: Linden Lab faces the same challenges as any other business, retaining and attracting quality staff and customers or users, staying true to our core values, staying ahead of the competition, and making enough money to stay in business and reinvest in the business.
It's a mistake to ever think your business isn't ruled by those common requirements. We've all seen online businesses, for example, that never satisfied the last requirement in that list.
What do you think the future holds for Second Life and virtual worlds in general?
Kingdon: Linden Lab and Second Life are really at the cutting edge of the virtual-world phenomenon, and much of the innovation in-world is driven by residents.
That innovation will continue to ramp up, engagement will increase, and Second Life will increasingly become a strategic part of an organization's IT use and online presence.
To be honest, I can't think of a time I've been in-world and haven't been blown away by what residents are doing on the Second Life grid. That is the real power of the model, and that is the reason why it would be really easy to underestimate just what can be achieved in one year, five years, or 10 years. But it should be great fun finding out.
Tim Ferguson of Silicon.com reported from London.
- prev
- 1
- next
