PlayNoEvil - Game Security, IT Security, and Secure Game Design Services

The FBI is pushing ISPs to retain customer logs which would provide investigators with a list of all the sites that a customer has visited for a period of 2 years.

This is not really new (a bit surprisingly). Since at least 1986, phone companies have been required by regulation to retain customer call logs for 18 months.

Most cybercrime investigators support this initiative.

A lot of the information that is sought is not difficult to retain - source and destination IP addresses can easily be logged.

One piece of information that is a candidate for collection is the actual URL that a customer is visiting - something that would require deeper packet inspection than is easily done.

The data would require a subpoena to be retrieved... however, given the permissive access that has been given to cell phone and location information, it would not be surprising that this capability could be abused.

Of course, if law enforcement requires this data to be stored, it would not be surprising if other entities involved in a law suit to subpoena such information... LAWYERS????

D. McCullagh (2010), "FBI wants records kept of Web sites visited", http://news.cnet.com/8301-13578_3-10448060-38.html

via

"FBI Pushing For 2-Year Retention of Web Traffic Logs", http://yro.slashdot.org/story/10/02/05/2015205/FBI-Pushing-For-2-Year-Retention-of-Web-Traffic-Logs

Stick with the PC, Indie! Xbox Live Arcade has seemingly joined the iPhone as yet another platform where indie developers cannot make money. Indies can thrive on Facebook, do pretty well with Flash, Unity, or old fashioned self-publishing.. but proprietary platforms just don't seem to be in the cards.

GamerBytes has an excellent analysis of Indie sales on Xbox Live Arcade (XBLA) and the top indie game earned $129,500.

Not very impressive. At least the top indie iPhone game developer has earned a fair chunk of change.

R. Langley (2010), "XBLA: In-Depth: Xbox Live Indie Games Sales For 2009, Plus Some Perspective", http://www.gamerbytes.com/2010/01/indepth_xbox_live_indie_games.php

PlayNoEvil has just crossed 2500 blog entries since I started writing in the Fall of 2004.

Thank you all for reading. I'm looking forward to more comments and support in the years ahead.

I need a nap.

Don't like one form of DRM? Why not choose another.

There is much wailing and gnashing of teeth about onerous digital rights management (DRM) systems. Electronic Arts (EA) has taken an interesting approach with its new game, Battlefield: Bad Company 2. Instead of giving players just one DRM option, the company gives 2 - either always use your disk as a key or authenticate online once and only once (digital downloads don't have a disk, so they don't have the disk option).

This gives an option for players who have difficulty with Internet access (notebooks, and those behind firewalls - a common problem in the military).

Technically, a game company could give more options - email, a fax, or toll call to activate the game's license.

The more ways to activate, the better for your customers.

Otherwise, the service is pretty generous - allowing players to install the game on up to 11 machines at one time.

Its an interesting approach and pretty clearly aimed at focusing its efforts on serious torrent-type pirates, rather than casual ones.

One suggestion: if the game supports multi-player, don't allow a player to "play with himself" so that friends will be encouraged to buy legitimate copies rather than simply share one.

Of course, this approach only works if the DRM system itself is effective. If not, it seems hardly worth the trouble.

S. Ridgeley (2010), "Battlefield: Bad Company 2 DRM is revolutionary, sensible", http://www.neoseeker.com/news/13005-battlefield-bad-company-2-drm-is-revolutionary-sensible/

Verified by Visa and MasterCard SecureCode are based on a system called 3D Secure which, in short, generates a one-time credit card number for a specific transaction after you enter your authentication information at Visa or MasterCard.

So far, so good.

Except.

In everyone's zeal to make the system easy to use, they chose to embed the login at the host/merchant site... a little block of HTML, just like a web ad.

Which causes the problem.

A hacker who wants to phish for user authentication information simply creates a fake merchant page (or hacks a merchant site) and places a unVerified by Visa block on the page... which intercepts the username/password data and, if done properly, still completes the transaction.

... and the crook goes rolling along.

If the page was a simple link instead of an embedded code block, a customer could look at the page URL and find that it has nothing to do with Visa or MasterCard, but is a scam.

There has been no change to either service in response to these attacks... there are probably lower hanging fruit for crooks.

There are more secure systems, but they are more complicated and so won't increase transaction volume as easily as these services. Since merchants tend to pick up most of the costs of fraud, there is little incentive for the credit card industry to do anything about fraud... businesses & consumers pay while the credit card industry watches the profitable transactions pile up.

J. Kirk (2010), "3D Secure online payment system not secure, researchers say", http://www.pcworld.idg.com.au/article/334105

NCSoft's Aion has been targeted for attack in January. Late last year, NCSoft's Guild Wars was targeted late last year and now AionSource was attacked and, apparently, its user data was used to send phishing scams.

Third party fan sites can provide an easier way to target MMO players when the publisher's/operator's own site is too hard to attack.

After all, a fan site is a handy mailing list to use to find gamers of interest.

Great fun for game developers - not only do you have to worry about your own site and your own customers, now you get to worry about other sites.

S. Brennan (2010), "AionSource.com compromised, e-mails possibly leaked to hackers", http://www.massively.com/2010/01/29/aionsource-com-compromised-e-mails-possibly-leaked-to-hackers/

CCP Games is sponsoring a wonderful promotion where players can convert the Eve Online's PLEX currency into a donation to help Haiti. What is particularly interesting about this is that PLEX can both be purchased with real money or the game's virtual ISK currency earned by playing, running missions, mining, or in-game schemes.

While other games have given players a chance to purchase virtual items and also make a donation to a cause, this is the first case that I know of that a player can give without a purchase.

J. Egan (2010), "CCP Games 'PLEX Aid for Haiti' initiative to help Red Cross relief efforts", http://www.massively.com/2010/01/29/ccp-games-plex-aid-for-haiti-initiative-to-help-red-cross-reli/#continued

A Perfect Game.. its a rare thing in professional baseball. Its been done 18 times since 1880... in the pros.

2K Sports has decided to turn a Perfect Game into a big promotion for its professional baseball game, MLB 2K10.

Get the first perfect game, win $1,000,000.

An exciting promotion - $1 Million is sure to sell some boxes, but it leads to some interesting questions:

1. As Bill Harris of Dubious Quality notes, there are around 2500 games a year, 25,000 games a decade... not too many games...and, to grossly simplify, in the last (2010 -1880 = 130 years) there has been at least 1 perfect game per decade amongst real professional baseball games. How long will it take to get 25,000 MLB 2K10 games played?

If the game is rigged, there is a problem with fraud, if not, 2K Games had better have that truck o'loot handy.

2. Is this a game of skill or illegal lottery? What about jurisdiction? Contests and promotions have widely varying laws between different states (It looks like the game is banned where skill games for money are totally banned).

3. Oh and then there's CHEATING. Not that anyone would consider CHEATING the game to win $1 Million. At least it is on the Xbox 360 and the PS3, but there are some exploits that might be of interest on both platforms... especially combined with problems other games have had (see the recent stories about Modern Warfare 2, among others).

This should certainly sell some more games and give MLB 2K10 more visibility. It will be interesting to see what happens next.

It would seem to make more sense to have players enter a tournament (or achieve some milestone) to be entered into a tournament where a $1 Million prize can be won as there would be more extended publicity and interest (state by state contests, etc.).

(Thanks for the lead BD)

D. Terdiman (2010), "$1 million for first perfecto in MLB 2K10", http://news.cnet.com/8301-13772_3-10443496-52.html

B. Harris (2010), "Gaming Notes", http://dubiousquality.blogspot.com/2010/01/gaming-notes_28.html

"2K Sports to Award One Million Dollars to First Person to Throw a Perfect Game in Major League Baseball® 2K10", http://2ksports.com/news/mlb2k10/377

Bots are a hard problem. How do you distinguish a person from a program playing your game?

Jagex's Runescape uses mini-games to detect bots.

Runescape is one of the older, and more successful MMOs. As seen in the recent, well-written review at MMORPG.com, Jagex has added a number of features that any game developer should consider in its MMO design.

One of the questions I've regularly been asked as a game security problem is "How do you detect bots in a game?" I've found this question particularly amusing as a good game design should inherently "detect bots" as our choices are one of the things that clearly indicate that we are human... a game that is repetitive to play or playable "away from the keyboard" is very likely a magnet for bots.

Runescape changes up typical MMO play with manadatory mini-games that help detect bots:

As any Runescape player can tell you, "Random Events" are an ingenious and infuriating solution to Macroing (players using a third-party program to complete their tedious tasks for them). It is almost guaranteed that the most inopportune moment will provide you with a chance to prove you are a human, and not a machine, at play; choosing a sandwich from the nice lady, correcting graves for a grave digger, or completing the maze gives the added benefit of a choice item you probably didn't need, or a minor experience reward.

While no player likes to be distracted from their goal, I will grant Jagex credit for their rather unique and often humorous means of thwarting cheaters. Offering an in-game event is a generous incentive which allows players to be involved with, and rewarded by, this worthy objective.

While such systems are not perfect, they do limit the ability of botters to totally automate game play and their frequency can be set to balance inconvenience with bot detection.

Core game design can also help in the battle against bots - the less "grindy" a game is, the harder it is to macro or bot.

I discuss this and other tactics in my book Protecting Games.



"Runescape Re-Review", http://www.mmorpg.com/gamelist.cfm/game/37/view/reviews/load/108/

The average data breach cost companies $204 per customer record in 2009 and $6.75 million total according to an annual survey by the Ponemon Institute.

E. Messmer (2010), "Data breach costs top $200 per customer record", http://www.networkworld.com/news/2010/012510-data-breach-costs.html

via

"Data Breach Costs Top $200 Per Customer Record", http://it.slashdot.org/story/10/01/25/1651239/Data-Breach-Costs-Top-200-Per-Customer-Record