SAN FRANCISCO--It will likely come as no surprise to anyone familiar with virtual worlds and online games that they can be hacked. But what might come as a shock is the sheer breadth of types of exploits that are possible.
That was the broad message of a Thursday panel called, appropriately, "Exploiting Online Games" at the RSA 2009 security conference here.
Moderated by Gary McGraw, CTO of software security consulting firm Cigital and an author of several books, the panel took the audience on a deep dive into the diverse ways that hackers and others have figured out to either skim real money or to gain game play advantages not available to normal players.
McGraw opened the panel with a brief explanation of the fact that there are real, functioning economies in virtual worlds and online games, and that players cash in their virtual goods for real money, to the tune of more than $1 billion a year. This, of course, is old news to those in game playing circles, but for many of the security experts in the room, it may well have been eye-opening.
And, McGraw said, it's the very fact that real money is at stake that often gets otherwise uninterested game players to pay attention to the security risks they face every day.
"There's a whole bunch of normals (those not steeped in knowledge about computers) using games, and they don't care about security," McGraw said. "But they like their stuff, (and) when their stuff gets taken, that really hurts the hell out of them. That's a way to start a conversation about computer security with normals, because almost everybody knows somebody who plays online games."
The first panelist to present was Greg Hoglund, the founder of Rootkit.com and the CEO of the consulting firm, HBGary. He explained that online games are regularly under attack by two discrete types of cheats: exploits--actual bugs in games that clever hackers have figured out how to mine in various ways, and bots, which are essentially automated macros that can be used to perform mundane tasks again and again and again, and very profitably.
The bugs, Hoglund said, often exist "at the borders of systems," and are used for things such as duplicating gold, or leveraging poor synchronization between back-end databases to extract money out of a game economy or even to gain teleportation powers that otherwise don't exist.
Hoglund also recalled a security expert who figured out a hack that allowed him not only to filch Second Life users' virtual currency--which is directly convertible to US dollars--but also to get ahold of users' credit card information and then use it to buy more of the currency to trade in. That exploit, Hoglund explained, was done only to prove that it could be done, but it underlined some of the significant risks facing players of online games and virtual worlds with functioning economies, as well as the publishers of those titles.
He also talked about bots, and explained that they, too, are often employed to gain an advantage most players don't have. They are almost universally prohibited, but Hoglund said creating them and using them is remarkably easy for those who know what they're doing. And he talked about one he had written to use in World of Warcraft that allowed his character to stay safe from attack from the rear, while also luring in loot-bearing enemies to kill. Once killed, the enemies would be regenerated by the bot, allowing Hoglund's character to kill them and pick off all their loot over and over again, a process that netted him significant profit, he hinted.
Similarly, he explained that games like World of Warcraft have vulnerabilities that allow savvy hackers to tap into the games' code, allowing for all kinds of new abilities, like being able to perform 15 charms at once, not available to the public at large.
Hoglund said companies like WoW publisher Blizzard are always actively trying to stop players from employing bots and ban those they catch, but added that for those who know what they're doing, detection is not something to worry about. And that, of course, is one of the explanations behind the so-called gold "farmers," often teams working in third-world countries whose job it is to run multiple accounts simultaneously, usually employing bots to perform gold-earning tasks and essentially just making sure that their in-game characters don't get "lodged in a tree."
Courts weigh in
Next up was Sean Kane, a partner with the New York law firm of Drakeford & Kane, and a leading voice on issues surrounding the law and virtual worlds.
Kane talked about two specific cases, one that is several years old and one that is much more recent.
The older case, Bragg v. Linden Research, focused on whether Linden, the publisher of the virtual world Second Life, was right to shut down the account of a user who had discovered an exploit allowing him to buy virtual land at below-market prices. Mark Bragg, the plaintiff, demanded $8,000 in restitution and eventually won a settlement from Linden in which his account was reinstated. But that only happened, Kane pointed out, after a federal judge ruled that the arbitration clause in the Second Life terms of service was onerous and one-sided.
At the time, the entire virtual world community had been watching the case closely, as many thought it would be the case that for the first time established the real-world value of virtual goods (and despite the fact that Bragg, himself a lawyer, had filed his suit in state court with a hand-written form), However, the settlement, not long after the federal judge's ruling, side-stepped that outcome.
But what many found interesting at the time was that Bragg had argued his hack was fair game, since all he did was exploit a feature hidden in the Second Life code. In effect, Bragg argued, code is law, and anything that players can do with the tools at their disposal is legitimate. Linden obviously disagreed, but ended up settling anyway.
Kane also focused on another case, MDY Industries v. Blizzard, in which MDY had created a bot, called Glider, that allowed players to level-up their characters without even having to be playing.
Blizzard sued for copyright infringement, arguing that bots like Glider were prohibited under its end-user license agreement (EULA) and that only that license actually allowed players to run WoW. In essence, the argument said that by running WoW under circumstances that violated the EULA, Glider was supporting copyright infringement.
Ultimately, though many argued that Blizzard's argument was beyond specious, the courts ruled in favor of the publisher, awarding it $6 million. But, not surprisingly, the outcome is on appeal.
Hacking Disney
Aaron Portnoy, a researcher with Tippingpoint security research, took the microphone next and talked briefly about his experiences hacking the Python code of the Disney online game, Pirates of the Caribbean. He explained that because Python is a dynamic language, he and a colleague had needed just a couple of days to reverse-engineer all of the game's code, and were able to use their exploit to get their in-game characters to do things that were otherwise impossible.
During a panel on exploiting online games, Tippingpoint's Aaron Portnoy talked about how he and a colleague discovered that Disney's online game Pirates of the Caribbean was written in Python, a language that allowed them to reverse-engineer the game's code in just two days. The result was that Portnoy's character was able to fly high in the sky, whereas everyone else in the game was limited to jumps of just four feet high.
(Credit: Daniel Terdiman/CNET Networks)For example, Portnoy said, he was able to easily get his character to jump high in the air, while the standard maximum jump was just about four feet. Or, to jump out of a pirate ship, walk on water at a speed faster than sailing ships in the game could travel, and attack at will.
"Everybody could see my guy jumping over buildings for miles," Portnoy said.
And, given how easy he and his colleague found it to reverse-engineer the code, Portnoy said, "It's almost like (Disney) didn't even consider security."
Gaming the games
Last up was Avi Rubin, a professor of computer science at Johns Hopkins. He talked, also relatively briefly, about how easy it is for some cheaters to exploit the game of online poker.
Essentially, Rubin argued, a hack called a Sybil attack--which employs fake people participating in games--makes it possible for online poker players to gain a big advantage over their opponents. That works, he said, by making it possible for a single player to control multiple hands in a game, allowing that person to see more cards than they would otherwise, and get a better handle on the odds of their own hand.
For example, he said, in a game of Texas Hold'em, a player employing a Sybil attack on an online poker game could control multiple hands and see things like whether the fives or eights they need to complete a full house and beat an opposing player's flush had already been played.
Rubin's point, then, was that game operators need to work harder at identity management, in order to keep players from employing such exploits. He didn't, however, offer any solutions as to how to do that.
All told, the panelists made it clear that just about any kind of online game or virtual world--especially those where money is on the line--is subject to some kind of hack or exploit, and that for those with the skills to launch such attacks, the barriers stopping them are easily surmountable.
The lesson, then, is that publishers of such games need to think harder about how to manage their players' actions and expectations. Otherwise, players may find themselves in games that are so compromised that the economies collapse and the fun disappears.
The number of iPhone users downloading mobile games to their devices jumped 14 percent in November, putting them in the lead of all mobile-phone game downloaders in the U.S. that month, according to a ComScore report released Friday.
The figures, based on a year-over-year comparison of three-month averages, showed that game downloads in November rose 17 percent overall to 8.5 million.
(Credit:
ComScore)
Although mobile subscribers users are increasingly putting their phones to work to download games, only 3.8 percent of all U.S. mobile phone users took the time to download a game in November, according to ComScore.
However, a significantly higher percentage of all iPhone users, 32.4 percent, downloaded a game that month, according to the report.
Mark Donovan, a ComScore senior analyst, said in a statement:
The rapid growth in smartphone adoption in the United States has provided a boost for mobile gaming, as 34 percent of those downloading a game in November did so using a smartphone.
Last year, not one smartphone appeared in the top 10 devices used for mobile downloads. This year, six out of 10 are smartphones, excluding devices with smartphone-like functionality, such as the Instinct and Voyager, which also make appearances.
Updated 8:02 a.m. PST with more information about EA's decision to increase the size of its layoffs and with Friday's share price performance.
Game publishing giant Electronic Arts announced Friday that it is expanding the scope of its previously announced layoffs and will cut 10 percent of its workforce, as well as close nine studios and publishing operations and reduce its product lines.
The bulk of the now approximately 1,000 layoffs are expected to be completed by March 31, with the company hoping to save $120 million in annual costs.
In late October, EA had said it would be cutting 6 percent of its workforce, but it boosted that figure as its outlook for 2009 grew bleaker.
EA is also slimming down its product line, as it focuses on its more profitable hit games. That said, however, the company noted it will continue to invest in new games, as well as games for mobile devices and online play.
As part of the restructuring, EA also plans to close its Black Box Studio in Vancouver, British Columbia, and move the development teams and related game franchises to its studio in Burnaby, British Columbia. In total, the company plans to close or consolidate at least nine studio and publishing locations.
EA expects to take a restructuring charge of $55 million to $65 million over the next several quarters as a result of the layoffs and office closures.
The move by EA to trim its operations come as the game publisher finds its financial performance for 2009 will be challenged, as sales in Europe and the U.S. fall short of its earlier expectations.
When it lowered its 2009 expectations earlier this month, EA's chief executive John Riccitiello said in a statement:
While we saw significant improvement in the overall quality of our key products this year, we are disappointed that our holiday slate is not meeting our sales expectations. Given this performance and the uncertain economic environment, we are taking steps to reduce our cost structure and improve the profitability of our business.
EA rose more than 4 percent to $17.52 a share in Friday morning trading.
Electronic Arts on Tuesday warned its financial performance for fiscal 2009 will come up short from its earlier projections, due to slower sales in the U.S. and Europe.
The game maker had previously projected net revenue of $4.9 billion to $5.15 billion and earnings ranging from a net loss of 21 cents a share to net income of 7 cents a share for the fiscal year ending March 31, 2009. EA did not provide an updated outlook, other than to note one would be provided when it reports its third-quarter results in February.
"While we saw significant improvement in the overall quality of our key products this year, we are disappointed that our holiday slate is not meeting our sales expectations," John Riccitiello, EA chief executive, said in a statement. "Given this performance and the uncertain economic environment, we are taking steps to reduce our cost structure and improve the profitability of our business."
EA plans to launch several cost-cutting measures, from layoffs to facility closures to reducing its product lines, the company said.
That said, however, EA plans to continue investing in the quality of its games, new properties, and its direct-to-consumer initiatives. The company will debut several new titles and online games in 2010.
The inside of the 'Wrath of the Lich King' retail box teases players with a challenge. The expansion to the hugely popular 'World of Warcraft' goes on sale tonight at midnight.
(Credit: Daniel Terdiman/CNET News)For World of Warcraft players who over the years have grown accustomed to seeing busy in-world auction houses, the last few weeks may have seemed odd.
Normally bustling with players eager to buy or sell weapons, clothing, armor, or other goods, business at the auction houses has recently slowed to a crawl. But it's not because of the global economic crisis.
Rather, say WoW aficionados, players have been hoarding their gold in anticipation of the release Thursday of the game's latest expansion, , and holding off on buying items that would soon be obsolete.
This is just one example of players of the hugely popular massively multiplayer online game behaving differently as Lich King's release approaches.
The game will go on sale nationwide after midnight (12 a.m.) Thursday, and retail stores expect lines across the country.
... Read moreWe have a sad ending to the story of Brandon Crisp, the Ontario, Canada, boy who ran away from home after his dad took away his Xbox console.
Brandon Crisp
(Credit: Barrie Police)The body of the 15-year-old, who had been missing since October 13, was found on Wednesday by deer hunters in a heavily wooded area about a mile or so away from where his bicycle was found two weeks earlier, according to police and press accounts.
An autopsy is scheduled for Friday, but based on preliminary evidence, police do not suspect foul play, according to news reports.
Crisp, according to his father and others, was hooked on the online game Call of Duty 4: Modern Warfare, which led to concern that he may have run off to join fellow gamers. His story has captivated online communities around the globe--gamers and parents alike--who have been offering assistance, debating the addictive nature of online games, and are now leaving online condolences. A Facebook search on his name currently turns up 87 groups ranging in name from "Help Find Brandon Crisp!!!!" to "R.I.P. Brandon Crisp."
Xbox maker Microsoft also got involved in the case by agreeing to help investigators and doubling the amount being offered for information leading to Crisp's return to 50,000 Canadian dollars.
Crisp ran away on the day of Canadian Thanksgiving after having an argument with his parents, according to the police in his small town of Barrie, Ontario. His father, Steve Crisp, told local media that he had taken away his son's Xbox after noticing changes in behavior, such as skipping school, stealing money, and ignoring his studies.
See also: InformationWeek, "Xbox 'addict' Brandon Crisp found dead"; The Toronto Star, "Brandon Crisp found dead"; Macleans, "What happened to Brandon?"; and The Globe and Mail, "This is not the ending we wanted."
Amazon.com has acquired Reflexive Entertainment, adding to its PC, Mac, and online casual game offerings.
Reflexive, which announced the acquisition earlier this week in a blog post by Chief Executive Lars Brubaker, said the deal will provide a larger distribution channel than it previously had.
Reflexive also noted that game developers can still submit their work to the site and will continue to have access to its GameCenterSolution.
Terms of the deal were not disclosed.
- prev
- 1
- next
