The Lose/Lose game warns players before they launch the application that they are likely to have files deleted.
(Credit: Lose/Lose)As part of his Master of Fine Arts thesis project, Zach Gage wrote a game to run on Macintosh computers that resembles Space Invaders but with a digital roulette twist--for every alien space ship the player destroys a random file on the computer is deleted.
"Lose/Lose is a video-game with real life consequences. Each alien in the game is created based on a random file on the player's computer. If the player kills the alien, the file it is based on is deleted. If the player's ship is destroyed, the application itself is deleted," the computer technology design major wrote on his Web site.
"At what point does our virtual data become as important to us as physical possessions? If we have reached that point already, what real objects do we value less than our data?" he asks.
On September 14, Gage posted his "Lose/Lose" game on his Web site and at the Experimental Gameplay Project, which links back to his site where he has a big warning in red: "KILLING ALIENS IN LOSE/LOSE WILL DELETE FILES ON YOUR HARDDRIVE PERMANENTLY." The application also displays a warning when it is launched.
This week, Symantec announced that it has flagged the application as malware, a Trojan it has dubbed OSX.Loosemaque. Sophos is calling it a Trojan too, OSX/LoseGame-A and Intego has named it OSX/LoserGame.
"We are concerned that somebody could take this and modify it in some way where users aren't aware of the consequences," Kevin Haley, director of product management at Symantec Security Response, said in an interview on Wednesday. "We want to make people aware of what's on their machine and they can make the decision on whether to run it or not."
Asked to comment on the stir his project was creating, Gage seemed amused.
"I'm kind of OK with it being labeled malware," he said in a phone interview. "I would categorize it as dangerous software, but not malware because it is dangerous if you use it in a certain manner. Whereas malware implies it was designed to be malicious...Calling it a Trojan is really blowing it out of proportion."
Trojan horses are programs, typically masquerading as a benign program or hidden in legitimate software, which provide an attacker unauthorized access to the system. However, Gage's program explicitly says what it does and what the consequences are.
In addition to exploring the nature of risk and reward with regard to war and the notion of how small wins distract from the larger picture, the game provokes discussion about the risks people take with technology every day, Gage said.
"We need to pay attention to how we behave on computers," he said.
Apparently, some people don't mind playing with fire. The list of high scorers on the game site shows more than 40 players, with the highest score having destroyed nearly 5,000 files, or aliens.
"I'm surprised anyone has played it," Gage said. "I'm shocked."
Asked to comment on any possible beneficial merits of the project, Symantec's Haley said: "I don't see the positive aspect of it, but I suppose if it's art we're not supposed to completely understand it."
Symantec created a video that shows how the game works. When an alien ship is destroyed (on the left) a corresponding file is deleted (on the right).
(Credit: Symantec)The Pirate Bay, a file-sharing site entangled in a court case over pirated music, will be bought by a Swedish software company.
Global Gaming Factory X (GGF) announced the deal Tuesday. The company, which provides digital distribution tools for Internet cafes, will buy The Pirate Bay for cash and shares amounting to $7.76 million. The acquisition is expected to be completed in August.
The Pirate Bay, a BitTorrent tracking site, is involved in a legal battle with major copyright holders, including Warner Brothers, MGM, and Columbia Pictures. In April, the Web site's founders were convicted by a Swedish court of copyright infringement, ordered to pay nearly $4 million, and sentenced to a year in jail. The defendants appealed the decision and were denied a retrial last week.
Hans Pandeya, chief executive of GGF, said in a statement that his company is looking for a business model that will pay copyright holders for content downloaded from The Pirate Bay.
"The Pirate Bay is a site that is among the top 100 most visited Internet sites in the world," said Pandeya. "However, in order to live on, The Pirate Bay requires a new business model, which satisfies the requirements and needs of all parties, content providers, broadband operators, end users, and the judiciary. Content creators and providers need to control their content and get paid for it. File sharers need faster downloads and better quality."
Also, GGF said Monday that it will acquire Peerialism, a peer-to-peer distribution and storage software company, for cash and shares equivalent to $12.9 million. Peerialism's technology will be incorporated into Pirate Bay's site.
"Peerialism has developed a new data-distribution technology which now can be introduced on the best known file-sharing site, The Pirate Bay," Peerialism Chief Executive Johan Ljungberg said in a statement. "Since the technology is compatible with the existing (technology), it will quickly allow for new values to be created for all key stakeholders and facilitate new business opportunities."
A blog post on the Pirate Bay site said that the organization was being sold for a "great bit underneath its value" to ensure it went to "the right people with the right attitude." The four Pirate Bay founders will be kept on as staff in different capacities. They said that they will still have some input into running the site and that users should not expect radical changes.
"If the new owners will screw around with the site, nobody will keep using it," the founders said the blog post. "That's the biggest insurance one can have that the site will be run in the way that we all want to."
Despite the apparent influx of cash, Pirate Bay co-founder and spokesman Peter Sunde told Swedish Radio, SR, that it won't be used to pay their fine.
"We are not getting the money, so we cannot pay any fine," he said.
Tom Espiner of ZDNet UK reported from London. CNET News intern Erik Palm contributed to this report.
Correction at 8:45 a.m. PDT: The purchase price for Peerialism has been fixed.
SAN FRANCISCO--It will likely come as no surprise to anyone familiar with virtual worlds and online games that they can be hacked. But what might come as a shock is the sheer breadth of types of exploits that are possible.
That was the broad message of a Thursday panel called, appropriately, "Exploiting Online Games" at the RSA 2009 security conference here.
Moderated by Gary McGraw, CTO of software security consulting firm Cigital and an author of several books, the panel took the audience on a deep dive into the diverse ways that hackers and others have figured out to either skim real money or to gain game play advantages not available to normal players.
McGraw opened the panel with a brief explanation of the fact that there are real, functioning economies in virtual worlds and online games, and that players cash in their virtual goods for real money, to the tune of more than $1 billion a year. This, of course, is old news to those in game playing circles, but for many of the security experts in the room, it may well have been eye-opening.
And, McGraw said, it's the very fact that real money is at stake that often gets otherwise uninterested game players to pay attention to the security risks they face every day.
"There's a whole bunch of normals (those not steeped in knowledge about computers) using games, and they don't care about security," McGraw said. "But they like their stuff, (and) when their stuff gets taken, that really hurts the hell out of them. That's a way to start a conversation about computer security with normals, because almost everybody knows somebody who plays online games."
The first panelist to present was Greg Hoglund, the founder of Rootkit.com and the CEO of the consulting firm, HBGary. He explained that online games are regularly under attack by two discrete types of cheats: exploits--actual bugs in games that clever hackers have figured out how to mine in various ways, and bots, which are essentially automated macros that can be used to perform mundane tasks again and again and again, and very profitably.
The bugs, Hoglund said, often exist "at the borders of systems," and are used for things such as duplicating gold, or leveraging poor synchronization between back-end databases to extract money out of a game economy or even to gain teleportation powers that otherwise don't exist.
Hoglund also recalled a security expert who figured out a hack that allowed him not only to filch Second Life users' virtual currency--which is directly convertible to US dollars--but also to get ahold of users' credit card information and then use it to buy more of the currency to trade in. That exploit, Hoglund explained, was done only to prove that it could be done, but it underlined some of the significant risks facing players of online games and virtual worlds with functioning economies, as well as the publishers of those titles.
He also talked about bots, and explained that they, too, are often employed to gain an advantage most players don't have. They are almost universally prohibited, but Hoglund said creating them and using them is remarkably easy for those who know what they're doing. And he talked about one he had written to use in World of Warcraft that allowed his character to stay safe from attack from the rear, while also luring in loot-bearing enemies to kill. Once killed, the enemies would be regenerated by the bot, allowing Hoglund's character to kill them and pick off all their loot over and over again, a process that netted him significant profit, he hinted.
Similarly, he explained that games like World of Warcraft have vulnerabilities that allow savvy hackers to tap into the games' code, allowing for all kinds of new abilities, like being able to perform 15 charms at once, not available to the public at large.
Hoglund said companies like WoW publisher Blizzard are always actively trying to stop players from employing bots and ban those they catch, but added that for those who know what they're doing, detection is not something to worry about. And that, of course, is one of the explanations behind the so-called gold "farmers," often teams working in third-world countries whose job it is to run multiple accounts simultaneously, usually employing bots to perform gold-earning tasks and essentially just making sure that their in-game characters don't get "lodged in a tree."
Courts weigh in
Next up was Sean Kane, a partner with the New York law firm of Drakeford & Kane, and a leading voice on issues surrounding the law and virtual worlds.
Kane talked about two specific cases, one that is several years old and one that is much more recent.
The older case, Bragg v. Linden Research, focused on whether Linden, the publisher of the virtual world Second Life, was right to shut down the account of a user who had discovered an exploit allowing him to buy virtual land at below-market prices. Mark Bragg, the plaintiff, demanded $8,000 in restitution and eventually won a settlement from Linden in which his account was reinstated. But that only happened, Kane pointed out, after a federal judge ruled that the arbitration clause in the Second Life terms of service was onerous and one-sided.
At the time, the entire virtual world community had been watching the case closely, as many thought it would be the case that for the first time established the real-world value of virtual goods (and despite the fact that Bragg, himself a lawyer, had filed his suit in state court with a hand-written form), However, the settlement, not long after the federal judge's ruling, side-stepped that outcome.
But what many found interesting at the time was that Bragg had argued his hack was fair game, since all he did was exploit a feature hidden in the Second Life code. In effect, Bragg argued, code is law, and anything that players can do with the tools at their disposal is legitimate. Linden obviously disagreed, but ended up settling anyway.
Kane also focused on another case, MDY Industries v. Blizzard, in which MDY had created a bot, called Glider, that allowed players to level-up their characters without even having to be playing.
Blizzard sued for copyright infringement, arguing that bots like Glider were prohibited under its end-user license agreement (EULA) and that only that license actually allowed players to run WoW. In essence, the argument said that by running WoW under circumstances that violated the EULA, Glider was supporting copyright infringement.
Ultimately, though many argued that Blizzard's argument was beyond specious, the courts ruled in favor of the publisher, awarding it $6 million. But, not surprisingly, the outcome is on appeal.
Hacking Disney
Aaron Portnoy, a researcher with Tippingpoint security research, took the microphone next and talked briefly about his experiences hacking the Python code of the Disney online game, Pirates of the Caribbean. He explained that because Python is a dynamic language, he and a colleague had needed just a couple of days to reverse-engineer all of the game's code, and were able to use their exploit to get their in-game characters to do things that were otherwise impossible.
During a panel on exploiting online games, Tippingpoint's Aaron Portnoy talked about how he and a colleague discovered that Disney's online game Pirates of the Caribbean was written in Python, a language that allowed them to reverse-engineer the game's code in just two days. The result was that Portnoy's character was able to fly high in the sky, whereas everyone else in the game was limited to jumps of just four feet high.
(Credit: Daniel Terdiman/CNET Networks)For example, Portnoy said, he was able to easily get his character to jump high in the air, while the standard maximum jump was just about four feet. Or, to jump out of a pirate ship, walk on water at a speed faster than sailing ships in the game could travel, and attack at will.
"Everybody could see my guy jumping over buildings for miles," Portnoy said.
And, given how easy he and his colleague found it to reverse-engineer the code, Portnoy said, "It's almost like (Disney) didn't even consider security."
Gaming the games
Last up was Avi Rubin, a professor of computer science at Johns Hopkins. He talked, also relatively briefly, about how easy it is for some cheaters to exploit the game of online poker.
Essentially, Rubin argued, a hack called a Sybil attack--which employs fake people participating in games--makes it possible for online poker players to gain a big advantage over their opponents. That works, he said, by making it possible for a single player to control multiple hands in a game, allowing that person to see more cards than they would otherwise, and get a better handle on the odds of their own hand.
For example, he said, in a game of Texas Hold'em, a player employing a Sybil attack on an online poker game could control multiple hands and see things like whether the fives or eights they need to complete a full house and beat an opposing player's flush had already been played.
Rubin's point, then, was that game operators need to work harder at identity management, in order to keep players from employing such exploits. He didn't, however, offer any solutions as to how to do that.
All told, the panelists made it clear that just about any kind of online game or virtual world--especially those where money is on the line--is subject to some kind of hack or exploit, and that for those with the skills to launch such attacks, the barriers stopping them are easily surmountable.
The lesson, then, is that publishers of such games need to think harder about how to manage their players' actions and expectations. Otherwise, players may find themselves in games that are so compromised that the economies collapse and the fun disappears.
When James Bossert saw he that his Whack 'em All iPhone game had 400 new users in one day last week he initially got excited. But that sentiment quickly changed when he saw that only 12 people had paid 99 cents for the game on Apple's iPhone App Store. Bossert e-mailed the person who claimed to have cracked and distributed it and posted the response on his blog.
"As many iPhone and iPod touch owners have discovered, Apple's iTunes App Store has many flaws which render it useless to the common user," the pirate, whose alias is "most_uniQue," wrote. "Apple has chosen to allow a multitude of ridiculous, worthless, poorly-represented applications through its 'strict' screening process, nearly all written by mediocre programmers with a dream of getting rich quick. Many of these programmers game the reviews system, misrepresent their application in the description, and generally try to swindle the honest buyer."
The pirate then suggested that Apple offer trial versions of the apps and that Bossert offer an ad-supported version of his game.
"Most_uniQue" said he used Crackulous, "one-tap" cracking software developed by Hackulous, to crack the app. After cracking 35 apps, he is retiring, he told Bossert in their surprisingly friendly e-mail exchange.
These pirated apps run only on iPhones that have been jailbroken, or opened up to third-party applications without Apple's authorization.
According to Bossert, this is not an isolated incident.
"Many developers are upset that the (Apple) digital rights management is broken and nobody has gotten a response from Apple, that I know of," Bossert, co-founder of Fairlady Media, told CNET News on Tuesday. "The pirates are so far ahead of Apple now that ... games are cracked the day or the day after they are released."
An Apple spokesperson said the company had no comment.
Bossert said he plans to release a free, ad-supported version of Whack 'em All within a few weeks as a result of the piracy. "I'll leave the 99 cent version out there and see what happens," he added.
Pirating of iPhone apps appears to have been going on since at least last July with the pirating of the Super Monkey Ball from SEGA.
- prev
- 1
- next
