PlayNoEvil - Game Security, IT Security, and Secure Game Design Services

Where identity goes, trouble follows. Blizzard's Battle.Net has a new identity system, RealID, which is raising a number of security, privacy, and utility concerns as the company prepares to launch two of the most anticipated PC games in years - Starcraft II and Diablo III.

Blizzard's Battle.Net is one of the older(est?) gaming social networks built around some of the most popular PC games of the last decade: Warcraft III, Starcraft, and Diablo II. While I've not been made privy to the service's history, it seems to have grown up in a rather ad hoc fashion. With the impending launch of Starcraft II, Blizzard has redesigned the service and one of its key components is its new identity service - RealID.

Online identity is a tricky problem (I've written over 100 blog entries on the topic) and Jaime Skelton of MMORPG.com has written a great article discussing the issues with Blizzard's service.

The RealID service as currently implemented lacks many of the privacy controls that users have come to expect from a social network - it seems that friends cannot be grouped into different categories for privacy and that it is not possible to play somewhat anonymously (a tricky issue for an online service).

Email addresses are login IDs - a bad idea I've discussed before - and you are identified by your real name to your friends, even if you haven't given that information to them otherwise. While Blizzard has stated that "friends" should only be your "real" friends, the expectation of "friending" online acquaintances has become so accepted that Blizzard's implementation is bound to cause a fair amount of trouble.

There are also some COPPA and child protection issues raised by the service, even if it is not explicitly targeted at children (complying with COPPA is such a good, do-able business strategy, and a legal requirement, there is rarely a sensible reason for not implementing its features even if you don't target kids as customers).

There are a number of other privacy issues as well as security concerns that have been raised by RealID.

Identity services are a key customer service and a major customer service cost - their design and implementation requires careful engineering and thought.

J. Skelton (2010), "Player Perspectives: A Pain in the RealID", http://www.mmorpg.com/showFeature.cfm/loadFeature/4342/page/1

How are we going to solve online identity? Just stop by 7-11.

A number of years ago, I was involved in some discussions about age verification for online gambling. At that time, as with it is today, there are plenty of technology pushers around - trying to sell ID tokens, biometric systems, etc. etc. etc.

My answer was simpler - use convenience stores.

After all, these pervasive, local merchants are the gateway to adulthood.

They sell us alcohol, cigarettes, porn, and lottery tickets.

They are entrusted by the state to verify our identities and our ages.

It would seem New Hampshire has figured this out. The state is beginning to support online lottery games, but the sales are tied to the existing retail infrastructure as players need to go to a lottery retailer, buy a ticket with a unique number, and register online to play (and presumably reverse the process to cash out).

Simple and as secure as anything else anyone has proposed.

And only the beginning for online skill and gambling games.

Know anyone at 7-11?

"New lottery games: A small change", http://www.unionleader.com/article.aspx?headline=New+lottery+games%3A+A+small+change&articleId=0e853e6a-1924-40db-bb54-d78c944c7d79>

"State To Launch Online Gaming Website Next Week", http://www.wmur.com/news/24016014/detail.html

There's a Sumo scandal brewing in Japan. 65 wrestlers have admitted to gambling illegally on baseball. This is in the wake of recent assault and drug use accusations.

It kind of sounds like a US sport.

What is different is that sponsors are taking the accusation seriously. Nagatanien, a major sport sponsor, is canceling its sponsorship of the next major tournament and reviewing its entire involvement with Sumo, as are several other sponsoring firms.

There has been a growing wave of gambling problems tied to different sports. Ranging from the mostly benign (wagering on other sports - with the main concern being debt and involvement with "interesting" folk) to very serious accusations of match fixing and odds manipulation.

The global nature of sport and wagering is making this a problem both for legitimate wagering firms and for sports organizations.

N. Fujimura (2010), "Sumo Loses Biggest Sponsor Amid Gambling Scandal (Update1)", http://www.businessweek.com/news/2010-06-22/sumo-loses-biggest-sponsor-amid-gambling-scandal-update1-.html

The R4 cartridge, which allows regular SD cards to be used instead of Nintendo's proprietary cartridges, has been replaced by a new version that works with the Nintendo DSi. These cartridges are often used by pirates to download stolen games onto SD cards (used in cameras and cell phones) and then use them with the cartridge. There is an inherent "removable media" problem for console games that is very hard to stop.

It will be interesting to see what Nintendo does with its new 3DS cartridge to stop (or at least slow down) this problem.

"R4 SDHC Team Releases New v2.10T Card", http://www.prlog.org/10744119-r4-sdhc-team-releases-new-v210t-card.html

While I'm very pleased that my book, Protecting Games, is available on Amazon's Kindle, I did want to warn folk that it only works on the actual Kindle device, not on an iPad or other "Kindle application" platforms... at least so far.

I'll let you know if I hear anything further. I believe that this is a policy setting chosen by my publisher, not me.

Gambling is Easy, Skill is Hard. Proving that a game is a gambling game is pretty straightforward, but how do you prove that a game is NOT a gambling game, that it is a game of skill? This is an increasingly important question as traditional computer game companies, such as Virgin Gaming, try to take familiar computer games into the play for cash and prizes world and slot machine manufacturers look to skill games as a way to reach new audiences.

Such is the case with Pace-O-Matic's "Moxie Mania Empire Edition" game licensed by Moxie Metro in New York. The basic game is (perhaps) a skill game using a variant of Tic-Tac-Toe where a player finds the best cell to score of the 9 available. After a long and winding series of legal battles, the game was declared a gambling game because the court determined that the prize which could be won was determined by chance.

Thus, though the game would be considered to have a "positive expected value" for any skillful player, the prize amount was chance driven, thus the game was gambling.

To review, there are three elements to determine whether a game is a gambling game:

1. A payment or consideration to be able to play.
2. A prize or reward of actual value based on the game's outcome.
3. An element of chance in determining the game's outcome.

In this case, the chance solely drives the size of the prize, even with perfect play, thus, the game has an element of chance and is gambling.

It was an interesting move by Moxie Metro and Pace-O-Matic as perfect skill play will always have a positive outcome (so, no risk of losing funds), but the court ruled that this was not sufficient.

Solo skill games for money are, I think, at high legal risk for being determined a game of chance, or having no players, or losing money. In order to be popular, players need to think they can win (my "illusion of skill" argument), operators need to know that players aren't going to win (more than they spend), and all of this needs to be done with no element of chance to get into legal trouble.

VERY HARD, if not impossible from a game design perspective.

Conversely, I think the real potential is with multi-player games. Core mechanics such as Rock-Paper-Scissors, Battleship, checkers, etc. lend themselves to rapid play with no element of chance (RPS raises some problems for another day).

M. Webb (2010), "Court Ruling Says Moxie Mania Empire Edition Is Illegal", http://www.vendingtimes.com/ME2/dirmod.asp?sid=EB79A487112B48A296B38C81345C8C7F&nm=Vending+Features&type=Publishing&mod=Publications%3A%3AArticle&mid=8F3A7027421841978F18BE895F87F791&tier=4&id=90CB95AF28D8497A8B64067285D7171D

Moxie Metro web site, http://moxiemetro.com/index.php

Pace-O-Matic web site, http://www.paceomatic.com/index.html

Richard Branson has re-entered the game industry with a tournament game site, Virgin Gaming. The site is supposed to award $1 Million in prizes over the next 12 months and will use existing console games.

(If you've been to PlayNoEvil before, you'll know what's coming next)

First of all, I am a huge fan and fascinated by the potential of skill games as an online business. I think skill games and more advanced gambling games could be the drivers of a new industry.

However, you've got to design for the medium.

Without basic changes, I suspect Virgin Gaming will rapidly join the ranks of failed tournament services.

Pool of Players

Customers are key to a business and a tournament service relies on having many, many players so that the entry fees far outweigh the cost to operate and the prize pool. Most console games are HEAVILY SKILL driven. There are great players and then there are the rest of us. They know it. We know it. In pretty much any sports or FPS or other twitchy game, I know I've lost in the first couple of minutes. Ranking systems somewhat compensate for this, but as seen with Team Fortress 2 and most other online shooters, the best players dominate the game and everyone else quits.

The Illusion of Skill

A 'great' skill game is one where everyone thinks that they are above average. Poker has achieved this. The game is designed so that for virtually every hand there is a way to see to have won when you've lost. Poker is a study in brilliant player choice and information disclosure. The game is strategic, but simple and, because of chance,a player is likely to not go too long without a victory.

Game Duration / Game Sessions

A good tournament service needs to have lots of short game sessions so that players who've lost have a chance to re-enter the tournament or enter another event. If a game takes a long time to lose, players will abandon it rather than try again. Learning opportunities and feedback needs to be fast.

The Dark Side

While Virgin Gaming is using the Xbox Live and Playstation service, there is no strong identity in the system (both services now support pre-paid debit card players), so there is only a weak linkage between an account number and a person. Once a game is played for money, even if there was strong "account identity", there is very weak "player identity" - after all, I could bring in my "ringer" buddy to play on my behalf when real money is on the line.

... and then there is cheating (a problem even on console games).

... and then there is tournament abuse (manipulation of ranking and reputation systems).

... and, of course, the complicated legal issues for these games (skill games are not legal in all US states).

I discuss tournament and ranking abuse, cheating, and identity problems at some length in my book Protecting Games.



I'm looking forward to the day someone gets this right. It will be a true revolution in gaming.

"Virgin Gaming FairPlay Guarantee", http://virgingaming.com/fairplay.html?f=FTR_1F_001

O. Chiang (2010), "Richard Branson Launches Virgin Gaming, An Online Game Tournament Service", http://blogs.forbes.com/velocity/2010/06/15/richard-branson-launches-virgin-gaming-an-online-game-tournament-service/

Micro-transactions are everywhere. Just as games are moving to the micro-transaction / free-to-play business model, Game cheats are doing the same. Xpolder is selling Modern Warfare 2 game saves for 79p so that players can "get unstuck" during game play and, of course, achieve all those achievements and badges they want without bothering to earn them.

This is a solvable problem. Game companies could/should really look at the security and integrity of the game save process (it has been the source of many console game hacks).

B. Parfitt (2010), "Xploder selling MW2 game saves", http://www.mcvuk.com/news/39284/Xploder-selling-MW2-game-saves

Scammers, scammers, everywhere. So much to steal, so little. Time. I was reading an interesting article about scams in Yoville and one category caught my eye as it is similar to an old World of Warcraft scam.

In each scam, there is a high value item that is quite similar in name and appearance to a much more common item. Players use the game's in-game trading system to trade for items, and the scammer basically works the system to offer and sell the common item in place of the rare item.

A bit abstract?

So, in Yoville, there is a rare Animated Pool Table which is virtually visually identical to a Green Pool Table... except the Animated Pool Table sells for 60,000 of the game's coins and the Green Pool Table for 2,000.

Virtually every game has the same problem as virtual goods are represented as rather small images with associated names. Scammers will take advantage of this limited visual and name pool to create their scams. These scams are going to only become more common as virtual items sales in Free-to-Play games and other micro transaction funded environments become more popular.

So, in honor of high school English, we have the following:

Homicons - distinct virtual items with identical (or near identitcal) visual representations and names.

Synicons - distinct virtual items with identical (or near identical) visual representations and different names.

Polyicons - distinct virtual items with different visual representations and similar names.

Depending on the trading and gifting systems used in a game, these different virtual item "near misses" can be used to launch scams.

An additional aspect to these scams can be "near miss" accounts which use "non-ASCII" letters in user names to spoof transactions. English speakers are particularly vulnerable in that they will visually ignore umlauts and other marks used in other European alphabets when reading text. A scammer can hide his or her identity by using these characters in their account name or create an account that is similar to a legitimate account for an account sale scam.

So, for example:

PlåyNöEvil vs. PlayNoEvil using the Danish Alphabet

"[Security] Scams, Hacks, Threats, and Fixes", http://www.yoinsider.com/archives/5475

Unity is one of the more exciting game engines available as it is powerful, easy to develop for, and more 3D friendly than Adobe's Flash. It is possible to either create a game as a stand alone executable or load a game through the company's player, making the game a "no download" experience comparable to Flash.

According to a press release from Unity Technologies, the player has been downloaded 30 million times.

I haven't seen browser penetration numbers for the player yet (anyone?), but this is a pretty good metric.

The closest number I have is that Adobe's Flash program manager stated that Flash had 18 million successful installs per day (out of 33 million downloads per day) in 2008 (WOOF!).

"Unity Technologies Celebrates Five Years of Continual Leadership and Innovation in Making Cutting Edge Game Technology", http://finance.yahoo.com/news/Unity-Technologies-Celebrates-iw-3659955691.html?x=0&.v=1

E. Huang (2008), "Two! Four! Six! Eight! Numbers we appreciate!", http://blogs.adobe.com/emmy/archives/statistics/