SAN FRANCISCO--It will likely come as no surprise to anyone familiar with virtual worlds and online games that they can be hacked. But what might come as a shock is the sheer breadth of types of exploits that are possible.
That was the broad message of a Thursday panel called, appropriately, "Exploiting Online Games" at the RSA 2009 security conference here.
Moderated by Gary McGraw, CTO of software security consulting firm Cigital and an author of several books, the panel took the audience on a deep dive into the diverse ways that hackers and others have figured out to either skim real money or to gain game play advantages not available to normal players.
McGraw opened the panel with a brief explanation of the fact that there are real, functioning economies in virtual worlds and online games, and that players cash in their virtual goods for real money, to the tune of more than $1 billion a year. This, of course, is old news to those in game playing circles, but for many of the security experts in the room, it may well have been eye-opening.
And, McGraw said, it's the very fact that real money is at stake that often gets otherwise uninterested game players to pay attention to the security risks they face every day.
"There's a whole bunch of normals (those not steeped in knowledge about computers) using games, and they don't care about security," McGraw said. "But they like their stuff, (and) when their stuff gets taken, that really hurts the hell out of them. That's a way to start a conversation about computer security with normals, because almost everybody knows somebody who plays online games."
The first panelist to present was Greg Hoglund, the founder of Rootkit.com and the CEO of the consulting firm, HBGary. He explained that online games are regularly under attack by two discrete types of cheats: exploits--actual bugs in games that clever hackers have figured out how to mine in various ways, and bots, which are essentially automated macros that can be used to perform mundane tasks again and again and again, and very profitably.
The bugs, Hoglund said, often exist "at the borders of systems," and are used for things such as duplicating gold, or leveraging poor synchronization between back-end databases to extract money out of a game economy or even to gain teleportation powers that otherwise don't exist.
Hoglund also recalled a security expert who figured out a hack that allowed him not only to filch Second Life users' virtual currency--which is directly convertible to US dollars--but also to get ahold of users' credit card information and then use it to buy more of the currency to trade in. That exploit, Hoglund explained, was done only to prove that it could be done, but it underlined some of the significant risks facing players of online games and virtual worlds with functioning economies, as well as the publishers of those titles.
He also talked about bots, and explained that they, too, are often employed to gain an advantage most players don't have. They are almost universally prohibited, but Hoglund said creating them and using them is remarkably easy for those who know what they're doing. And he talked about one he had written to use in World of Warcraft that allowed his character to stay safe from attack from the rear, while also luring in loot-bearing enemies to kill. Once killed, the enemies would be regenerated by the bot, allowing Hoglund's character to kill them and pick off all their loot over and over again, a process that netted him significant profit, he hinted.
Similarly, he explained that games like World of Warcraft have vulnerabilities that allow savvy hackers to tap into the games' code, allowing for all kinds of new abilities, like being able to perform 15 charms at once, not available to the public at large.
Hoglund said companies like WoW publisher Blizzard are always actively trying to stop players from employing bots and ban those they catch, but added that for those who know what they're doing, detection is not something to worry about. And that, of course, is one of the explanations behind the so-called gold "farmers," often teams working in third-world countries whose job it is to run multiple accounts simultaneously, usually employing bots to perform gold-earning tasks and essentially just making sure that their in-game characters don't get "lodged in a tree."
Courts weigh in
Next up was Sean Kane, a partner with the New York law firm of Drakeford & Kane, and a leading voice on issues surrounding the law and virtual worlds.
Kane talked about two specific cases, one that is several years old and one that is much more recent.
The older case, Bragg v. Linden Research, focused on whether Linden, the publisher of the virtual world Second Life, was right to shut down the account of a user who had discovered an exploit allowing him to buy virtual land at below-market prices. Mark Bragg, the plaintiff, demanded $8,000 in restitution and eventually won a settlement from Linden in which his account was reinstated. But that only happened, Kane pointed out, after a federal judge ruled that the arbitration clause in the Second Life terms of service was onerous and one-sided.
At the time, the entire virtual world community had been watching the case closely, as many thought it would be the case that for the first time established the real-world value of virtual goods (and despite the fact that Bragg, himself a lawyer, had filed his suit in state court with a hand-written form), However, the settlement, not long after the federal judge's ruling, side-stepped that outcome.
But what many found interesting at the time was that Bragg had argued his hack was fair game, since all he did was exploit a feature hidden in the Second Life code. In effect, Bragg argued, code is law, and anything that players can do with the tools at their disposal is legitimate. Linden obviously disagreed, but ended up settling anyway.
Kane also focused on another case, MDY Industries v. Blizzard, in which MDY had created a bot, called Glider, that allowed players to level-up their characters without even having to be playing.
Blizzard sued for copyright infringement, arguing that bots like Glider were prohibited under its end-user license agreement (EULA) and that only that license actually allowed players to run WoW. In essence, the argument said that by running WoW under circumstances that violated the EULA, Glider was supporting copyright infringement.
Ultimately, though many argued that Blizzard's argument was beyond specious, the courts ruled in favor of the publisher, awarding it $6 million. But, not surprisingly, the outcome is on appeal.
Hacking Disney
Aaron Portnoy, a researcher with Tippingpoint security research, took the microphone next and talked briefly about his experiences hacking the Python code of the Disney online game, Pirates of the Caribbean. He explained that because Python is a dynamic language, he and a colleague had needed just a couple of days to reverse-engineer all of the game's code, and were able to use their exploit to get their in-game characters to do things that were otherwise impossible.
During a panel on exploiting online games, Tippingpoint's Aaron Portnoy talked about how he and a colleague discovered that Disney's online game Pirates of the Caribbean was written in Python, a language that allowed them to reverse-engineer the game's code in just two days. The result was that Portnoy's character was able to fly high in the sky, whereas everyone else in the game was limited to jumps of just four feet high.
(Credit: Daniel Terdiman/CNET Networks)For example, Portnoy said, he was able to easily get his character to jump high in the air, while the standard maximum jump was just about four feet. Or, to jump out of a pirate ship, walk on water at a speed faster than sailing ships in the game could travel, and attack at will.
"Everybody could see my guy jumping over buildings for miles," Portnoy said.
And, given how easy he and his colleague found it to reverse-engineer the code, Portnoy said, "It's almost like (Disney) didn't even consider security."
Gaming the games
Last up was Avi Rubin, a professor of computer science at Johns Hopkins. He talked, also relatively briefly, about how easy it is for some cheaters to exploit the game of online poker.
Essentially, Rubin argued, a hack called a Sybil attack--which employs fake people participating in games--makes it possible for online poker players to gain a big advantage over their opponents. That works, he said, by making it possible for a single player to control multiple hands in a game, allowing that person to see more cards than they would otherwise, and get a better handle on the odds of their own hand.
For example, he said, in a game of Texas Hold'em, a player employing a Sybil attack on an online poker game could control multiple hands and see things like whether the fives or eights they need to complete a full house and beat an opposing player's flush had already been played.
Rubin's point, then, was that game operators need to work harder at identity management, in order to keep players from employing such exploits. He didn't, however, offer any solutions as to how to do that.
All told, the panelists made it clear that just about any kind of online game or virtual world--especially those where money is on the line--is subject to some kind of hack or exploit, and that for those with the skills to launch such attacks, the barriers stopping them are easily surmountable.
The lesson, then, is that publishers of such games need to think harder about how to manage their players' actions and expectations. Otherwise, players may find themselves in games that are so compromised that the economies collapse and the fun disappears.
On the heels of banking scandals in the virtual world Second Life, its publisher Linden Lab announced Tuesday that it is effectively banning in-world banks.
"As of January 22, 2008, it will be prohibited to offer interest of any direct return on an investment (whether in Linden dollars or other currency) from any object, such as an ATM, located in Second Life, without proof of an applicable government registration statement or financial institution charter," Linden Lab wrote on its blog Tuesday. "We're implementing this policy after reviewing resident complaints, banking activities and the law, and we're doing it to protect our residents and the integrity of our economy."
The move comes after some residents lost money they'd entrusted to in-world banks like the now-infamous Ginko Financial last year. And the decision by Linden Lab is clearly aimed at restoring faith that some had lost in the stability of the virtual world's economy.
It also comes less than a year after Linden Lab banned casinos in Second Life, another move aimed at demonstrating that the economy is on the up-and-up and therefore not something that government officials should spend too much time looking at.
In the early hours after the Tuesday announcement, Second Life residents are mixed in their opinions about the banking ban.
"So the existing so-called 'bankers' and 'stock exchanges' can just take the cash they have collected and run, eh," wrote Second Life resident Ann Otoole in a comment responding to the Linden Lab blog post. "Glad I never fell for this scam, but a lot of residents are going to be hurt so maybe (Linden Lab) should seize the assets of these 'banker' accounts right now and then figure out what to do with the assets. The amounts of (real life) money involved is pretty high and it will be sad to see these people get away scott free with nearly a million U.S. dollars."
But others supported the decision and saw the benefits of removing a controversial element to the SL economy, which sees around $1.3 million in activity every day.
"Thank you for doing this," wrote SL resident Lukas Mensing in the comments section of the blog. "(It's the) first step to a real virtual economy."
Whether the move will stabilize the economy, or at least perception of the economy remains to be seen. But it's pretty clear Linden Lab had to do something to stave off criticism related to banks that have folded, taking residents' money with them.
But only time will tell whether the decision will have any meaningful impact. And for those residents who have used the banks for various financial purposes, it will be very interesting to see what alternatives they have available in the months to come.
There's a major kerfuffle going on at Second Life publisher Linden Lab.
According to the virtual world blog Massively, Linden Lab CTO and employee No. 4 Cory Ondrejka has been asked by CEO Philip Rosedale to leave the company.
And Linden Lab itself has confirmed that Ondrejka is leaving, though it hasn't publicly explained whether he was fired or left on his own.
Either way, this is very big news in the Second Life world because Ondrejka has been there from the beginning, wrote the Linden Scripting Language and has been the engineering lead all along.
But according to an e-mail posted Tuesday by Massively that appears to be from Rosedale to Linden Lab employees, he fired Ondrejka over irreconcilable differences.
Here is the text of that purported internal e-mail written by Rosedale, which, it should be noted, was provided to Massively by someone presenting themselves as a Linden Lab employee:
"Cory is going to leave LL. He has been with us for 7 years, and was the fourth person to join. So this is a big deal. Cory has been a huge part of the company, having designed big parts of SL, hired many people, contributed greatly to the culture, and given a powerful voice to SL and LL. Among other things, he had the original design idea for the love machine, single handedly wrote the scripting language, and got us all doing A&Os back in 2001. Losing him will be hard for the company. I will miss him a lot. What's worse is that ultimately his leaving is my decision.
"Cory and I have differences in how we think Linden should be run, differences that in the past few months have become irreconcilable. These are tensions that were more manageable when we were smaller, and there have been times that they have helped us do great work together. But now, as we change and grow as a company, I feel that we need a different set of strengths in engineering leadership. I strongly believe that this is the right decision, although not without pain, for both LL and Cory. Of course, I'm not going to go into the details of these differences. This is one of those times when, in having me as your leader, you will also have to trust me in my decision."
If this situation is for real, it would be pretty big news. As any regular user of Second Life knows, the virtual world has many technical problems that have gone unfixed for years. Who exactly has overseen attempts to address those problems is not entirely clear to me, though Ondrejka, as CTO, certainly had some oversight.
On the other hand, as CEO, Rosedale obviously also has oversight over such issues.
All we can say for now is that Linden Lab seems to be in a bit of a state of chaos, and that's certain to last as the dust settles.
Stay tuned for more on this.
Update, 8:17 p.m. PST: In an e-mail response to a query from CNET News.com, Linden Lab provided a statement. Further, a Linden Lab representative said someone would be in touch on Wednesday.
The statement, issued on behalf of Rosedale, read: "I can confirm that Cory Ondrejka, CTO, will be leaving Linden Lab at the end of this year, in order to pursue new professional challenges outside the company. I wanted to take this opportunity to publicly thank Cory for his tremendous contribution to the company and to Second Life, in terms of its original vision and ongoing progress.
"As it grows, the needs of our company are changing, and the role of CTO, or technical lead, has also evolved. Therefore, Cory and I are in agreement that our paths, at this point in time at least, lie in different directions. During Cory's tenure the engineering team has grown tremendously, and given the breadth and depth of our technical expertise, we do not foresee any impact on our development plans.
"Together, we've produced great things in the development of Second Life, and I know Cory will go on to achieve excellence in his chosen field.?
Over on Dean Takahashi's San Jose Mercury News blog today, he reported on the discovery by a pair of security researchers that it may be possible to steal Second Life users' in-world currency.
That would be a big problem, of course, because the currency, known as Linden dollars, are directly convertible to U.S. dollars.
According to Takahashi's story, hackers Charles Miller and Dino Dai Zovi told him that they have uncovered an exploit that could allow someone to fleece Second Life residents of their Linden dollars.
The exploit is related to Apple's QuickTime software, which is used to display videos in Second Life.
"The exploit works because Second Life allows users to embed videos or pictures on their characters or their virtual property," Takahashi wrote. "When someone comes nearby and is within view of the object, the Second Life software activates QuickTime so it can play the video or picture. In doing so, QuickTime directs the Second Life software to a Web site. By exploiting the flaw in QuickTime, the hackers can direct the Second Life software to a malicious Web site that then allows them to take over the Second Life avatar.
The end result of that could be that a malicious hacker could then strip the avatar of any Linden dollar holdings.
For its part, Takahashi wrote, Linden Lab told him that the exploit is easily patched. Nonetheless, the company put up a warning on its blog Friday.
Takahashi said that Linden Lab told him, "We were alerted a short time ago by Internet security professionals that a QuickTime exploit has been discovered which may allow an attacker to crash or exploit any user of the QuickTime software from Apple. The Second Life viewer uses QT to play videos and therefore this exploit could potentially affect the residents of Second Life. This exploit affects all platforms that use QuickTime and, to date, Apple has not released a fix for it."
To date, however, Takahashi wrote, Linden Lab said it isn't aware of anyone actually using the exploit to rob anyone.
For residents of Second Life, then, the solution may be to avoid holding onto large numbers of Linden dollars.
As I told Takahashi when he asked me to comment for his story on Linden dollar security, "As one SL business owner said to me...you should always have a backup plan in case of a glitch that causes you to lose everything, because you never know what might happen. And in the case of Linden dollars, that likely means doing regular (Linden dollar/U.S. dollar) exchanges so as not to keep too many Lindens in your SL account. You can't lose what's not there."
Maybe virtual world publishers do belong inside the magic circle after all.
On Sunday I wrote about an interesting situation that arose after the sad and tragic death of one-half of the Second Life fashion design team known to most as the avatar Ginny Talamasca.
In the wake of the designer's passing, Katt Kongo, the publisher of the Second Life newspaper, Metaverse Messenger, proposed having SL publisher Linden Lab designate April 17, 2008 "Ginny Talamasca Day."
But Kongo's proposal, which she made in an e-mail to a number of SL residents, including myself, was followed by responses from some who argued that the role of organizing such a commemorative day would likely fall on the virtual world's residents themselves and that Linden Lab would likely decline to be involved.
"Linden Lab's role has been one of a platform developer, not as a (massively multiplayer online game) provider," wrote Ron Blechner, chief technology officer of Involve, a third-party SL development company, at the time. "As such, they really aren't the ones in control of Second Life's culture; they aren't the game gods; they just design the architecture, really."
Blechner also said that he felt that, "if you feel strongly about getting this done, my recommendation would be to build up a grass-roots support, and eventually, with enough support and awareness, it will become a de facto event."
My feeling was that Blechner was probably right and that Linden Lab would likely choose not to get directly involved. And to me it raised the interesting question of the role of a publisher in such a dynamic.
But it turns out that the conventional wisdom was wrong.
On Friday, Robin Harper, Linden Lab vice president of marketing and community development, wrote back to everyone who had received Kongo's original e-mail.
"We think it's a wonderful idea to have an annual day of remembrance in Second Life, to honor everyone we may have lost through the year," Harper wrote. "We're happy to have that day be on April 17. In addition, we'd like to donate (two island sims) for the purpose of holding any memorial type events...It's our feeling that such a day will enrich Second Life, and the loss of Ginny is a reminder how important it is that we remember all our friends--hence the move to a broader recognition day."
Now, it's not exactly what Kongo asked for, but it's certainly in the right spirit.
And the quick and positive responses to Harper's e-mail that followed it show that the publisher of a virtual world can step inside the so-called magic circle and have it feel right. And it doesn't necessarily break the illusion of a place like Second Life being a fantasy environment. In fact, it may demonstrate that everyone involved, from user to developer to publisher, is part of the same community.
- prev
- 1
- next
