Protecting Games – Game Security for Your Computer Games

Between 2005 and 2011, I wrote over 2500 posts on game security topics in this blog.

It was a lot of stuff.

In January 2010, the best of this material was synthesized and consolidated into Protecting Games.

Nearly 400 pages of game security goodness:

Protecting Games is an excellent security handbook albeit a slightly overwhelming one that deserves a place on the bookshelf of anyone involved in the process of creating games. It arms us with the knowledge we need to make the right choices while navigating through the process of not only an building an entertaining game but a secure one as well.  -  P. Peron

Security problems are often not as difficult as you think. Often, the answers are common sense. It is simply a matter of being attentive to the issues and being willing to actually solve the problem.

Steven’s take on security is very common sense- and business-driven, at the exact opposite of solution vendors trying to sell you a silver bullet. His recommendations are generally simple and easy to implement, providing that relevant stakeholders in the development and operations of the game are committed to security from early on in the project : just like service design or marketing, it is not the problem of the specifically assigned department, and it can’t be added as an afterthought. The book is not limited to technical risks, but also covers business and game design issues, and so can be read by anyone working in the games industry, not only technical people. Overall, it’s a very enjoyable read about the security game – the one played by your company, against an infinite horde of opponents armed with a lot of time, wits and resources. – D. Lagrange

My goal is to give you the tools to solve security problems yourself (or avoid them) OR, if you can’t solve your problems directly, that you will be able to judge anyone that you hire to help.

Who am I?

Hi, my name is Steve Davis. I’ve been working in the security field for over 25 years with the past 15 focused on game security.

“True expert in gaming and technology security, thorough knowledge of the industry, and author of highly-relevant gaming security technology code.” - W. Joseph Price

I’m like you. I don’t particularly care about cool technology. I’m not here to sell you consulting services. I just want your game to be as secure as possible against real bad guys.

“Steven’s knowledge of applied cryptograpy was really invaluable. And his advices helps us to choose different business solution, which turns to advantage and saved much time.” – A. Haiduk

Real bad guys don’t care about your security systems. They just want to “win” – whether that is getting free copies of your games, cheating and winning online, selling your virtual goods at a profit… whatever.

“Steve is a true expert on the subject of game security. I’ve met many security consultants and many game consultants, but Steve is the only person I’ve found who can honestly claim to have expert knowledge in both areas, and an excellent understanding of how the two areas interact.” – J. West

They are looking for the easiest, quickest ways to get what they want.

“Steven has been an invaluable resource, advising us on a full spectrum of security and business issues related to our peer-to-peer MMO and unique game and IT concerns. He is the leading authority on game security today and his advice has already saved us untold time, money, and missteps. He clearly understands the business of online games and the needs of independent developers and publishers.” – K. Rued.

Let’s find a way to encourage them to look elsewhere.

“Steven Davis is deeply informed on the increasingly important and complex security issues arising in the online gaming field. He has led the field in recognizing the connection between security and profitability. I have found his advice invaluable as a magazine writer and as a game designer.” – A. Varney

Protecting Games – Table of Contents

Protecting Games covers everything from piracy to cheating to good old fashioned IT security.

Part I -The Protection Game

Chapter 1 – Game Security Overview

• What Is Game Security?

• When Should You Care About Game Security?

• Who Should Worry About Game Security?

• The Game Security Challenge

• References

Chapter 2 – Thinking Game Protection

• Independence

• You Can’t Count on Trust

• Lazy, Cheap, or Stupid

• Laziness
• Being Cheap
• Stupidity (Ignorance Is Bliss, for a While)

• Threats, Vulnerabilities, and Risk

• Beyond Protect, Detect, React

• Asymmetric Warfare

• Process, Testing, Tools, and Techniques

• Second Grader Security

• References

Part II – Piracy and Used Games

Chapter 3 – Overview of Piracy and Used Games

Chapter 4 – The State of Piracy and Anti-Piracy

• Determining the Scope of Piracy

• How Much Is Anti-Piracy Worth?

• Trusted Brand Security: Nintendo and ADV

• Anti-Piracy Innovators: Nine Inch Nails and Disney

• Going Forward

• References

Chapter 5 – Distribution Piracy

• Preventing Duplication

• Detecting Duplication

• Collectables, Feelies, and Other Stuff

• Disk as Key

• License Keys

• ID and Checksum

• Public Key Encryption

• Online Authorization

• Who Owns the Piracy Problem and Protecting Developer Royalties

• Splitting and Key Storage

• Splitting Data

• Obfuscating Data

• Splitting and Obfuscating Data

• Local Storage and Online Games

• Busted Pirate: Now What?

• References

Chapter 6 – DRM, Licensing, Policies, and Region Coding

• The Basics of DRM

• Why DRM Doesn’t Work

• Types of DRM Systems

• Fingerprinting and Covert Fingerprinting

• Attacking Fingerprints and Watermarks

• Watermarking

• Security Labels and Tags

• Digital Signatures

• Encryption

• Proprietary Encoding

• Obfuscation

• Split Delivery

• License Policy

• References

Chapter 7- Console Piracy, Used Games, and Pricing

• Attacking Consoles

• Secure Bootstrapping

• The Used Games Market

• Pricing Pirates Out of Business

• Breaking Through the Glass Case

• References

Chapter 8 – Server Piracy

• Server Piracy Trends

• Insider Piracy, Troubled Partnerships, and Online Game Appliances

• Authenticating the Server

• Bypassing Encryption

• References

Chapter 9 – Other Strategies, Tactics, and Thoughts

• Measuring Piracy

• Fighting Pirate Networks

• Multi-Player Gaming

• Ownership Models: Accounts versus Platforms

• Rich Interaction System

• Digital Affiliate System

• DAS Media Asset

• DMA Player

• DMA Registry

• Making Pirates into Resellers

• Playing with Secure Digital Distribution

• Cryptography: The Devil Is in the Details

• References

Chapter 10 – Anti-Piracy Bill of Rights

• Basic Fair Use Principles

• Registration Options

• Installation Options

• Connection Options

• References

Chapter 11 – The Piracy Tipping Point

• Determining the Goal of Anti-Piracy Policies

• References

Part III – Cheating

Chapter 12 – Overview of Cheating

Chapter 13 – Cheating 101

• Cheating and the Game Industry

• Fair Play

• Cheat Codes

• Hardware Hacks: R4 and GameShark

• Exploits

• The CARRDS Reference Model

• The Remote Data Problem

• State-Based Networking

• Hidden State and Partial Information

• Client/Authoritative Server Networking

• Action-Based Networking

• Money, Virtualization, Rootkits, and the End of Client-Side Security

• Security, Trust, and Server Architectures

• Random Events

• Player Collusion

• Business Models and Security Problems

• References

Chapter 14 – App Attacks: State, Data, Asset, and Code Vulnerabilities and Countermeasures

• Memory Editors, Radar, and ESP

• Data Obfuscators

• Code Hacks and DLL Injection

• Blind Security Functions, Code Obfuscators, and Anti-Tamper Software Design

• Save Game Attacks, Wallhacks, and Bobbleheads

• Save Sharing

• Graphics Engines versus Game Engines

• Secure Loader and Blind Authentication

• References

Chapter 15 – Bots and Player Aids

• Is It “Help” or Is It Cheating?

• Demonstrating a Hack and the YouTube Threat

• CAPTCHAs: Distinguishing Players from Programs

• Cheat Detection Systems

• References

Chapter 16 – Network Attacks: Timing Attacks, Standbying, Bridging, and Race Conditions

• ACID, Dupes, and SQL Attacks

• Defensive Proxies

• Hacker Proxies

• Thinking About Network Time: Act, But Verify

• Securing Time

• References

Chapter 17 – Game Design and Security

• Design Exploits

• Collusion

• Trivia Games

• Word, Number, and Puzzle Games

• Algorithmic Games, Physics Flaws, and Predictable Behavior

• Randomize Things a Bit

• Use Abstraction

• Limitations of Algorithmic Games

• Bots Are Hard to Fight

• Speed, Twitch, Timing, and Pixel Precision

• Strong and Dominant Strategies and Deep Game Play

• Power of People: Rock, Paper, Scissors, Poker, and the World of Psychology

• Game Play Patterns: Combat Devolved

• Designing for the Medium

• References

Chapter 18 – Case Study: High-Score Security

• Cheating in High-Score Games

• Encryption, Digital Signatures, and Hash Functions

• Client-Server Option

• Randomly Seeded Client

• Alternative High-Score Strategies

• Puzzles, Skill-Based Games, and Other Deterministic Games

• Inappropriate Player Handles

• Summary

• References

Part IV – Social Subversion: From Griefing to Gold Farming and Beyond with Game Service Attacks

Chapter 19 – Overview of Social Subversion

Chapter 20 – Competition, Tournaments, and Ranking Systems (and Their Abuse)

• Understanding Tournaments and Ranking Systems

• Lobby Attacks

• Tournament and Lobby Spiking

• Entry Spreading

• Rank Boosting and Busting

• Syndicates and Bots

• Tournament and Ladder Game Play Attacks

• Collusion

• Game Configuration

• Ghosting

• Abandonment: The “Game Over” Game

• Zero-Sum Scoring

• Game Operator Problems

• Bias

• Insider Players/Shills

• Payment Abuse/Till Fraud/Rake Abuse

• Ultra-Violence/Action Hands

• Identity Problems

• Countermeasures

• Retrofitting Games for Tournaments and Skill Games

• Summary

• Resources

Chapter 21 – Griefing and Spam

• Communications Griefing and Spam

• In-Game, Community, and Customer Support

• Answers to the Griefing Problem

• High Score or Player Name Griefing

• Game Play Griefing

• Don’t Drop (Loot)

• User-Created Content

• Liability and Business Risk (with J. Price)

• Obscenity

• Harassment

• Trademark and Copyright Infringement

• References

Chapter 22 – Game Commerce: Virtual Items, Real Money Transactions, Gold Farming, Escorting, and Power-Leveling

• The Dark Side: Four More Categories of Game Players

• Amusement Park Economics

• Alternative Models

• On Virtual Items

• Gold Farming

• Gold Frauders, Online Thieves, and Insiders

• Potential Solutions

• Power-Leveling

• Escort Services, Subletting, and Virtual Prostitution

• Summary

• References

Chapter 23 – To Ban or Not to Ban? Punishing Wayward Players

• Crime, Credibility, and Punishment

• The Cost of Punishment: Who’s Being Punished?

• Possible Punishments and Credible Deterrence

• Summary

• References

Part V – The Real World

Chapter 24 – Welcome to the Real World

Chapter 25 – Insider Issues: Code Theft, Data Disclosure, and Fraud

• Code Theft and Other Data Disclosures

• Office IT Infrastructure

• Insider Fraud

• Playing Your Own Game

• Privileging and Isolation

• References

Chapter 26 – Partner Problems

• Contracting Security?

• Security Accountability in Third-Party Development

• Security Accountability in Third-Party Licensing

• Service Provider and Partner Security Issues

• Community and Fan Sites

• References

Chapter 27 -Money: Real Transactions, Real Risks

• Payment Processing

• Using PayPal

• Using Moneybookers

• Pre-Paid Cards/Game Codes

• Other Payment Methods

• Inside the Payment Process: PayPal

• Anti-Fraud

• Integration for Automation

• Payment Fraud

• References

Chapter 28 – More Money: Security, Technical, and Legal Issues

• PCI-DSS and Security

• Account Security, Virtual Items, and Real Money

• Money Laundering and Illegal Payments

• Money Laundering: Legal Issues

• References

Chapter 29 – Identity, Anonymity, and Privacy

• The State of Identity and Anonymity

• The Registration Problem and Identity Management Systems

• The Morris Trap

• Age Verification

• Usage Controls and Game Addiction

• Account Compromise, Identity Theft, and Privacy

• Legal Requirements for Privacy Protection

• Legal Requirements in the US

• Legal Requirements for the EU

• References

Chapter 30 – Protecting Kids from Pedophiles, Stalkers, Cyberbullies, and Marketeers

• Dealing with Cyberbullies, Pedophiles, and Stalkers

• Kids’ Communications, Parental Controls, and Monitoring

• COPPA

• Children and Identity

• Child Pornography

• References

Chapter 31 – Dancing with Gambling: Skill Games, Contests, Promotions, and Gambling Again

• What Is Gambling and What Is Not

• Accidental Casinos

• Skill Games

• Miscellaneous Security Issues

• Game Service Scams

• Poker, Contest, and Skill Game Bots

• Live Play

• Legal Considerations

• Federal Laws and Regulations

• State Laws and Regulations

• References

Chapter 32 – Denial of Service, Disasters, Reliability, Availability, and Architecture

• What Can Go Wrong, Will Go Wrong

• Denial of Service

• Scalability and Availability

• Sample Game Operations Architecture

• Disasters and Disaster Recovery

• Contingency Planning

• References

Chapter 33 – Scams and Law Enforcement

• Scams in Games

• Game Scams

• Law Enforcement

• Facilities Requirements: Potential Unexpected Laws and Regulations

• References

Chapter 34 – Operations, Incidents, and Incident Response

• Secure Operations

• Active Measures

• Incidents and Incident Response

• Public Relations and the Perception of Security

• References

Chapter 35 – Terrorists

• Virtual Terrorism

• Online Tools for the Modern Terrorist

• References

Part VI – Looking Back and Moving Forward: The Future of Game Protection

Chapter 36 – Practical Protection

• “We Have Met the Enemy and He Is Us”

• The Business of Game Protection

• Global Industry Challenges

• Security Beyond Technology

• Who’s the Boss?

• In Closing

• References

Appendix A – Selected Game Security Incidents

Appendix B – Glossary

I hope Protecting Games addresses your security problems. Drop me a note, if I missed something that is important to you.

 

Thanks!

 

Steve