April 17, 2014

avatar

Exploiting Online Games

Exploiting Online Games, a book by Gary McGraw and Greg Hoglund, is being released today. The book talks concretely about security problems and attacks on online games. This is a fascinating laboratory for exploring security issues.

I wrote the book’s foreword. Here it is:

It’s wise to learn from your mistakes. It’s wiser still to learn from the mistakes of others. Too often, we in the security community fail to learn from mistakes because we refuse to talk about them or we pretend they don’t exist.

This book talks frankly about game companies’ mistakes and their consequences. For game companies, this is an opportunity to learn from their own mistakes and those of their peers. For the rest of us, it’s an opportunity to learn what can go wrong so we can do better.

The debate over full disclosure goes back a long way, so there is no need to repeat the ethical and legal arguments we have all heard before. For most of us in the security community, the issue is simple: Experts and the general public both benefit from learning about the technologies that they depend on.

In today’s world, we are asked all the time to bet our money, our time, our private information, and sometimes our lives on the correct functioning of technologies. Making good choices is difficult; we need all the help we can get.

In some fields, such as aviation security, we can be confident that problems will be identified and addressed. Nobody would tolerate an aircraft vendor hiding the cause of a crash or impeding an investigation. Nor would we tolerate a company misleading the public about safety or claiming there were no problems when it knew otherwise. This atmosphere of disclosure, investigation, and remediation is what makes air travel so safe.

In game design, the stakes may not be as high, but the issues are similar. As with aviation, the vendors have a financial stake in the system’s performance, but others have a lot at stake, too. A successful game – especially a virtual world like World of Warcraft – generates its own economy, in several senses. Objects in the game have real financial value, and a growing number of people make their living entirely or partially via in-game transactions. In-world currency trades against the dollar. Economists argue about the exact GDP of virtual worlds, but by any meaningful definition, virtual economies are just as “real” as the NASDAQ stock exchange.

Even nonplayers can have a lot at stake: the investor who bets his retirement account on a game company, the programmer who leaves a good job to work on a game, the family that owns the Indian restaurant across the street from the game company’s headquarters. These people care deeply about whether the technology is sound. And would-be customers, before plunking down their hard-earned money for game software or a monthly subscription, want to know how well a game will stand up to attack.

If aviation shows us the benefits of openness, e-voting illustrates the harms caused by secrecy. We, the users of e-voting systems – citizens, that is – aren’t allowed to know how the machines work. We know the machines are certified, but the certification process is itself shrouded in mystery. We’re told that the details aren’t really our concern. And the consequences are obvious: Designs are weak, problems go unfixed for years, and progress is slow. Even when things do go wrong in the field, it’s very hard to get a vigorous investigation.

The virtue of this book is not only that it talks about real-world problems but also that it provides details. Some security problems exist only in theory but evaporate when real systems are built. Some problems look serious but turn out not to be a big deal in practice. And some problems are much worse than they look on paper. To tell the difference, we need to dig into the details. We need to see precisely how an attack would work and what barriers the attacker has to get over. This book, especially the later chapters, offers the necessary detail.

Because it touches on the popular, hot topic of massively multiplayer games, and because it offers both high-level and detailed views of game security, this book is also a great resource for students who want to learn how security really works. Theory is a valuable tool, but it does its best work when wielded by people with hands-on experience. I started out in this field as a practitioner, trying to learn how to get things done and how real systems behaved, before expanding my horizon to include formal computer science training. I suspect that many senior figures in the field would say the same. When I started out, books like this didn’t exist (or if they did, I didn’t know about them). Today’s students are luckier.

Perhaps some vendors will be unhappy about this book. Perhaps they will try to blame the authors for the insecurity of their game software. Don’t be fooled. If we’re going to improve our security practices, frank discussions like the ones in this book are the only way forward. Or as the authors of this book might say, when you’re facing off against Heinous Demons of Insecurity, you need experienced companies, not to mention a Vorpal Sword of Security Knowledge.

We all make mistakes. Let’s learn from our mistakes and the mistakes of others. That’s our best hope if we want to do better next time.

Comments

  1. Pedant says:

    I hope the publishers aren’t counting on your spell checker for their revenue ;)

  2. gem says:

    Uh oh! The real version in the book can be found here:

    foreword by felten http://exploitingonlinegames.com/book/foreword/

    Did the spelling fun propagate through copyedit?? Seems unlikely but possible.

    Freedom to Tinker readers will probably enjoy the chapter on the law (chapter 3).

    gem

  3. James Grimmelmann says:

    Amazon thinks it hasn’t been releaed yet and has an expected delivery date of September 13. I ordered it anyway. It’ll make a great one-two combo with Mia Consalvo’s Cheating: Gaining Advantage in Videogames.

  4. gem says:

    I’m not sure why amazon is behind the curve. I know that I have actual copies that arrived yesterday at my house…so the book does actually exist. As soon as CA wakes up, I’ll see what we can do to shake the tree.

    gem

  5. Spudz says:

    Is this (or the Cheating one) available in a free electronic edition anywhere that anyone knows of?

  6. gem says:

    Hi Freedom to Tinker Heads,

    I found out Friday that the book will not be available in stores for a few days. Sorry about that. Some SNAFU with the publisher. You can order a copy in advance from amazon if you want.

    I don’t think the Cheating Online Games (shortcut) is available anywhere for free, but you may me able to get a copy if you contact me directly. The shortcut has material only from the first couple of chapters of the complete book.

    gem

  7. nate_combs says:

    “>Economists argue about the exact GDP of virtual worlds, but by any meaningful definition, virtual economies are just as “real” as the NASDAQ stock exchange.”

    I am not inclined to believe this, as I believe players tend to treat markets in games differently than they do real world ones. A while back I penned a longer argument on this point:

    A fallacy of markets in virtual worlds

  8. gem says:

    Hi Nate,

    It’s not the in-game markets that are that interesting. It’s the virtual worldreal world connections that most economists study. The middle market for pretend game stuff was over $400million last year (and it’s growing). You see, there is a real incentive to cheat. A number of people make their livings doing so.

    The book is now available through three websites:
    http://search.barnesandnoble.com/booksearch/isbnInquiry.asp?z=y&EAN=9780132271912&itm=1
    http://www.awprofessional.com
    http://www.informit.com/title/0132271915

    Incidentally, the digital shortcut on the AWL/informit sites for sale as well, but the book is a much better value.

    gem

  9. Spudz says:

    Those are all pay sites are they not?

  10. Spudz says:

    What’s with posts giving generic praise about the site but not saying anything about the specific article being discussed? I mean, praise is nice and all, but this Valintino has posted similar notices on several separate occasions, and never anything actually constructively contributing to any debate in progress. This sort of thing is more appropriate for a guestbook comment than a blog.

    Hmm … Perhaps you should set up a guestbook for generic site feedback?

  11. gem says:

    Hi again,

    The URLs I provided were not all pay sites.

    The book’s official site is http://exploitingonlinegames.com

    Amazon is up finally too
    http://www.amazon.com/Exploiting-Online-Games-Distributed-Addison-Wesley/dp/0132271915/ref=pd_bbs_1/102-3484894-6950507?ie=UTF8&s=books&sr=1-1

    A podcast interview of Greg Hoglund (my co-author) as a Silver Bullet Security Podcast guest is also available
    http://www.cigital.com/silverbullet

    gem

  12. Spudz says:

    I don’t see any providing the text of the book for free browsing or download; the text of the book itself appears to be in effect behind a paywall. Which makes them all in effect pay sites.

  13. Spudz says:

    Eh. I got a passel of error messages when I submitted the above, but it apparently succeeded anyway. What the f*@! is going on?

  14. Kris says:

    Good forward, interesting subject, I plan to read the book. Which games do the authors cover, and which are there any they didn’t cover that you wish they would have?

  15. Kris says:

    Oof, three cheers for proof reading. “… which are there …” indeed.

    Really just commenting again to let you know WP is throwing some odd error, I think it may have something to do with that delightfully long amazon.com URL above (tinyurl that sucker and I think the error message might go away–I use WP myself).

  16. Ed Felten says:

    Sorry about the typos. They came from my transcription. The actual book has better copy-editing. ;)

  17. Spudz says:

    And still no word about where somebody with no credit card can get an online-readable version for only the marginal cost of reproduction…

  18. Spudz says:

    Well?

  19. James Grimmelmann says:

    My copy came a few days ago. I hope this means the snafus are all straightened out.

  20. Spudz says:

    Me, too
    :)

  21. Spudz says:

    Eh, that wasn’t exactly what I wrote. Stupid broken blogging software. Seems this blog attracts its fair share of AOLers that just post “me, too” posts, regardless.

  22. unleashedpower says:

    This is indeed an interesting book. Maybe only a small number people takes the threat on online games security because their games only. However, most online games especially World of Warcraft are not child plays anymore, definitely, but half of the population are already professionals.

  23. Bob says:

    Nice blog!
    quite informative, love to read this blog. We are also dealing with all shorts of pc and computer based games.
    The future of game industry realy in boom.