PlayNoEvil Game Security News & Analysis

If you can't beat'em, play'em. In the world of Internet hype and public relations, nothing catches attention like a great headline.

Operator Offering $10,000 For Best Pokerbot Site

So, this guy puts out a (free) press release announcing a contest for the most pokerbot friendly poker site. His contest rules are simple:

PokerbotBasics.com is inviting all internet Texas-Hold’Em sites to compete in a contest for the most pokerbot-friendly site, meaning pokerbots are allowed to play freely at the same players that human players play at. Below are the current guidelines which may change by August 1st 20009.
· Sites submitted between August 1st and December 14th 2009 will be reviewed and voted on by PokerbotBasics.com registered users.
· The site with the most votes will be awarded $10,000 on December 15th, 2009.

To qualify a site must do the following:
· Allow players from the US, including pokerbots.
· Affiliate with PokerbotBasics.com.
· Have a Texas Hold’Em, $25 no limit category.
· Allow a player to register as a pokerbot and clearly identify that player at the table.
One nice to have:
· A $2-$5 Sit-And-Go (I’m working on a sit-and-go pokerbot).

So, you have to allow US players (which no one wants to admit, officially, create an affiliate relationship with this site (which had better not be located in the US or he could be at risk for online gambling... and gets the guy revenues).

.. oh, and your site has to admit that bots are playing against people (a bit of a risk).

And he is doing Amazon affiliate book sales for books that could be construed as being about writing poker bots (C# and poker books).

It would be more fun if he proposed an "Open Poker API" so that pokerbots could standardize on a public interface to connect to poker servers.

Actually, an even more entertaining option would be for a poker site to run a "Poker Bot Detection" contest - given game play logs, determine which hands were played by people or bots... you might get some interesting security product designs.

Intriguingly, MMOs could do the same thing.

The Great MMO Cheat Detection Contest

An MMO provides a series of game logs (say, 30 days' worth) that are anonymized to hide IP addresses and account information and challenges security developers to detect any bots or cheats or gold farmers that are hidden in the log (with suitable information provided on the information being collected).

The winner gets $10,000 and a contract to develop additional security tools for the game company, or some such.

It could be interesting and is certainly a cheap way to vet a bunch of security solutions. Also, the game company would be able to model the business benefit of the different tools vs. their existing analytic capabilities.

Remember the movie "The Sting"? (Spoiler Alert) Robert Redford and Paul Newman wind up running a racing scam based on the idea of late bets.

Welcome to the 21st century variant.

One of the hottest areas in sports wagering now is "in-game" betting. Punters essentially make "proposition bets" on activities that happen during the game rather than its outcome.

These bets can be on virtually anything that can happen during a game.

There are a couple of problems with these types of bets. The first is that, because they are on small, specific game events, they are more vulnerable to manipulation by corrupted players or officials. The second, is that the wagering pool is smaller, so there are options to directly manipulate payouts.

The final fun problem is that the frenetic level of wagering makes even small "time lag" information valuable for a crooked wagerer.

Which is what seems to be happening in football (soccer) and cricket.

Crooks hire audience members to report back key events immediately so that they can make bets (usually via cell phone). Since regular television is often delayed for any number of reasons (commercials, screening for obscenity filtering, etc.), this interval allows the crooked players to make sure bets on the outcome of events that they already know.

The technique of in-game betting emerged in cricket. A gambling insider, who did not want to be named, said: “For in-game betting to work, a bookmaker needs information on what is happening in the game as quickly as possible and will have people at the game or watching television whose job it is to provide information from the games.

“As soon as an incident happens — such as who scores the first goal — the betting company receives the information and suspends betting on that particular incident until it is clear whether the bet is closed or can be reopened. But if someone can get information from the game to a gambling syndicate before the bookie gets his information, they can beat the bookie.

There is nothing like wagering on a sure thing.

S. Bird (2009), "Syndicates use 'in-game betting' fraud to exploit time difference", http://www.timesonline.co.uk/tol/news/uk/crime/article6323038.ece

The web is abuzz. The Chinese Government has banned gold farming.

well, perhaps not.

The Chinese government has been very concerned about virtual currencies as a threat to its real currency because of the rise of QQ-coins / Q-coins in Tencent's QQ service (a topic I covered back in late 2006). If you read the actual news from the government, the focus is on QQ-coins.

Cui Ran, an expert on the Chinese online industry, said the regulation aimed to "nip illegal online activities in the bud," as current trading volume was still too small to shake the nation's entire financial system.

Its not gold farming, its a threat to the Yuan. The regulation does not even cover virtual items, only virtual currency:

...includes prepaid game cards, game currencies and game points, while tools and weapons used to play games online are not included.

There are two other concerns that the Chinese government seems to be addressing with this rule - gambling (using virtual currency and then converting it to real currency) and protecting children from "inappropriate content".

While most of the Western coverage has been entranced by gold farming, Juliet Ye of the Wall Street Journal seems to have picked up the real story (outside of Chinese sources).

The regulations also solidify some issue that are of concern to US customers of online games as well:

- If the service is shut off, customers are entitled to a refund of unused currency.
- "virtual currency should be exchanged only for virtual goods and services provided by the issuer of the currency" (this would cause problems for a lot of the third party currency folks here in the US and elsewhere)
- Companies already involved in virtual currency trading are required to register with the local cultural affairs bureau within three months.
- Minors may not buy virtual money. THIS IS POTENTIALLY HUGE. If enforced, this would essentially shut down most MMOs that use the Free-to-Play business model.

The gambling issue is very important. Even "virtual lotteries" are being affected. Giant Interactive, operator of ZT Online, is shutting down its "box opening" game (where players buy treasure boxes that yield random virtual prizes). Interestingly, this would not be considered gambling in the US (and elsewhere) since there is no "real" prize (I don't think - Lawyers?).

As one would expect, everyone in the industry is very positive about the new regulations.

The real question is whether these new regulations would be enforced. Gambling games for virtual currency have become very popular in Chinese casual game services (including Tencent's QQ service). The "open the box" game has been a cornerstone of ZT Online's success and has been copied by many other online game companies both inside and outside of China.

Locking out minors from buying virtual currency could be devastating (and was mentioned only in one line of the statement from the Ministry of Commerce). If it is enforced as "effectively" as the age restrictions for games, I don't think it will be problem, but if enforced vigorously, it would all but eliminate the "free-to-play" business model in what is probably the world's largest online gaming market.

China's government is quite concerned about the power of QQ-coins and any threat to its currency both as a currency and as a vehicle for money laundering. At the same time, they are legitimizing these currencies somewhat by strengthening their "real" value (in this regulation and in other rules that restrict the ability of game companies to freely ban accounts as well as several legal cases that have returned accounts to aggrieved players).

What next?

While "victory" will be declared, I do not think that the restrictions on minors will stand. This will be seen by the continued growth of the "Free-to-Play" model in China.

The game companies have always been officially against the use of their currency as real money, but have been very tolerant of it (and even encouraged players through promoting gambling games and such). These types of "obvious" gambling games are likely to go away and may really hurt the finances of companies like Tencent and Giant Interactive (as well as Sohu and others with casual game portals which are full of casino-style games). "Hardcore" game companies that have stuck with traditional revenue strategies will continue with little impact.

I would not be surprised to see many of these companies aggressively take these business models overseas where the definition of "virtual property" has not been well-defined. Especially in major developing nations like Brazil and Eastern European countries (Russia could be an interesting case as they've just officially banned gambling).

As to gold farming, any developing country loves foreign currency. Don't expect any real action on this issue anywhere anytime soon. This is "entertainment outsourcing" and is almost exclusively the concern of game publishers, not their host governments.

Don't hold your breath.

"China bars use of virtual money for trading in real goods ", http://english.mofcom.gov.cn/aarticle/newsrelease/commonnews/200906/20090606364208.html

"China bars use of virtual money for trading in real goods ", http://news.xinhuanet.com/english/2009-06/27/content_11610478.htm

J. Ye (2009), "China Cracks Down on Virtual Currency, For Real", http://blogs.wsj.com/chinajournal/2009/06/29/china-cracks-down-on-virtual-currency-for-real/

T. Claburn (2009), "China Bans Gold Farming", http://www.informationweek.com/news/internet/ebusiness/showArticle.jhtml?articleID=218101859

"Giant Closes "ZT" Draw Citing Regs", http://www.jlmpacificepoch.com/newsstories?id=151322_0_5_0_M

S. Davis (2006), "Q Coins and Yuan - A Real Collision of the Virtual World with Real Life through Virtual Currency", http://www.playnoevil.com/serendipity/index.php?/archives/1044-Q-Coins-and-Yuan-A-Real-Collision-of-the-Virtual-World-with-Real-Life-through-Virtual-Currency.html

K. Brice (2009), "Chinese government bans gold farming", http://www.gamesindustry.biz/articles/chinese-government-bans-gold-farming

Up 4 flights of stairs, skipping Napoleon and World Wars 1 and 2, you enter a long, darkened hall, air conditioned, quiet, and almost empty. To your left and right are huge illuminated tables surrounded by glass, protecting massive maps of cites and forts.



Welcome to the Museum of Relief Maps / Musée des Plans-Reliefs at the Hôtel des Invalides - The Army Museum in Paris.

I'd heard of this museum, for some strange reason, and its relationship to the great French general / engineer Vauban, but it is not a place that you are likely to go with your family.

After teaching Game Security at the Paris Master Classes, I had a couple of days in Paris. So, on Saturday morning, I walked from my hotel first to the Rodin Museum and then on to the Hôtel des Invalides, best known for housing Napoleon's Tomb.

Hôtel des Invalides is massive. First I spent several hours going through their collection of arms and armor from the medieval period up through the eighteenth century.

I have never seen so many swords, guns, and sets of armor (and artillery). At some point, it becomes a blur.

It is definitely worthwhile, if you are into such things, you get a crash course in French (military) history (of which I am sadly ignorant).

Then, on to the next museum on-site covering the period from Cardinal Richelieu and the Three Musketeers through Napoleon. This is fairly interesting, if you're at all familiar with the period, there is not nearly the vast amount of material as in the earlier period.

... are we there yet? No.

On to World War 1. This is a very impressive exhibit. It actually starts with the Franco-Prussian War in 1871 and covers French colonialism before taking you through The Great War. We don't talk about WW I in the US nearly as much as WW II. For France especially (and other European countries), it was horrific on a scale beyond the Second World War in terms of lives lost and setting up what followed. There is a lot of attention to the causes of the war and its progress (as the entire Western Front was fought on French territory, this is unsurprising).

Well worth the time.

From World War I, you walk right on into World War II, which is rather apt. The view of WW II from the French perspective is much more interesting and complex than for other countries. The occupation, Vichy government, and rise of de Gaulle are all covered in detail, but the involvement of England and Russia are not neglected.

There is a separate museum dedicated to "The Order of The Liberation", by the way, and also a new, multi-media museum about Charles de Gaulle... which was a bit to high-tech for its own good, from my view (though I didn't spend too much time there).

One would think I was all "museum-ed out" after all of this, but I REALLY WANTED TO GO TO THE MAP MUSEUM!

There are signs for it, but they aren't really inviting... arrows pointing to the Museum of maps and fortifications along along with the special collection library...

There is nothing like being associated with a special library collection to turn of most visitors.

The museum is housed in the same building as the Napoleonic material. Instead of hiking up two flights of stairs, it is four.

... and you find an entrance for the museum to your left and book store to the right.

Go to the bookstore first.

Not for any guide material, unfortunately, nothing has been translated into English except for a couple of blurbs and a tiny paper foldout.

Behind the bookstore is a separate exhibit that explains the history of the maps - both how they are made and why they were made.

The maps were created to give the French king and his generals a clear, up-to-date view of the borders of the nation in 1/600 scale. These maps were maintained and updated over hundreds of years. They were used to identify the best way to defend a siege, improve fortifications, as well as attack the cities or forts if necessary. France had enemies on every border and developed a deep system of fortified towns and forts to protect itself from its adversaries.

It was the French Strategic Defense Initiative for the Age of Artillery.

The maps were maintained until the 19th century when modern, rifled artillery basically made large scale fortifications and defenses of this sort obsolete.

So, on to the maps.

It is almost like a high tech command center. As I said earlier, it is entirely dark and cool to protect the maps and each map is in a separate glass case with supporting pictures of what the forts and sites look like today and some text in French that no doubt provides critical information.

There are quite a large number of maps with sample forts on France's various borders.

Well worth checking out.

I wasn't done with the Hôtel des Invalides... I went to the church on site and wrapped up by visiting Napoleon's tomb. I'd visited it when I was last in Paris (a long time ago), but I hadn't really noticed Marshal Foch's tomb which is one of the monuments surrounding Napoleon's tomb. It is quite touching, especially after the World War 1 museum.



After all of this, I'd had enough museums. I walked to the Eiffel tower (way, way too crowded) and then back to my hotel.

How much does your state attorney general think your credit card information is worth?

About 10 cents. (10.4 cents to be precise)

That is what TJX is going to pay in a settlement with 41 states for its compromise of information on 94 million credit cards and debit card accounts that were compromised - $9.75 Million.

Not even enough to pay for postage to tell those people their data has been disclosed.

Less than the average of $6 per account that a criminal could get for the stolen identity information.

Pathetic.

"This settlement ensures that companies cannot write off risk of a data breach as a cost of doing business," Massachusetts Attorney General Martha Coakley, whose office took the lead on the investigation, said in a statement on Tuesday. "In addition to the monetary relief, this agreement requires TJX to implement and maintain a substantial data security program to ensure that this kind of data breach does not happen again."

Disgusting.

"TJX firmly believes that it did not violate any consumer protection or data security laws," the statement said. "The decision to enter into this settlement reflects TJX's desire to concentrate on its core business without distraction and to promote cybersecurity measures that will benefit all consumers."

If the consequences of disclosing personal data are so low, there is little reason for a company to institute a real security program.

There need to be laws with real teeth to protect customer sensitive data. If a company faced fines of $100 per breach... they would perform real diligence.

Oh, and how much would the compromise of a person's identity cost that individual?

In 2007, it was estimated at $31,356 median, the average was $5,720.

$31K (You) vs. $6 (Crooks) vs. $0.104 (the government and TJX)

WONDERFUL, Thanks government, thanks TJX.

D. Kaplan (2009), "TJX settles over breach with 41 states for $9.75 million", http://www.scmagazineus.com/TJX-settles-over-breach-with-41-states-for-975-million/article/138930/?DCMP=EMC-SCUS_Newswire

PlayNoEvil (2007), "World of Warcraft Real Money Transaction (RMT) Crime - UPDATED", http://www.playnoevil.com/serendipity/index.php?/archives/1211-World-of-Warcraft-Real-Money-Transaction-RMT-Crime-UPDATED.html

T. Claburn (2007), "Identity Theft: Costs More, Tech Less", http://www.informationweek.com/news/internet/showArticle.jhtml?articleID=202600312

Hong Kong officials shut down and seized a set of servers after being tipped off that an unnamed online game was being operated illegally in the country. The site included 7 servers and 5 additional computers and the 34 year old man was arrested for copyright infringement.

The site attempted to make prosecution more difficult by locating its servers in Hong Kong but have its domain registered in the US.

The site had been operational for 7 months and had 30,000 registered players. It appears that the game used a free-to-play business model with prices much lower than for the legitimate game.

Private servers/pirate servers are an increasingly important problem with the globalization of online gaming. Criminals can locate their computers virtually anywhere and make their pursuit and prosecution much more difficult.

The choice of Hong Kong was probably not wise as China and Hong Kong are growing hubs of the online game industry and, as such, are concerned with protecting the integrity of the industry more than other countries.

Any tips as to which game this is would be welcome. I would guess it is a Korean MMO.

Liu D. (2009), "HK Detects 1st Case of Infringing Online Game Servers", http://english.cri.cn/6909/2009/06/25/1781s496631.htm

Rob Fahey of GamesIndustry.biz has written an awesome editorial on the importance of Social Games... and about the immaturity of our (the game industry's) understanding of these games. Go read it.

The article is particularly timely as everyone seems to be completely obsessed with iPhone games, downloads for consoles.

Last year's fascination with Facebook seems to have disappeared.

Which is odd.

Quite odd as Facebook games are pretty well proven and the company exerts little control over game developers (much less than for the iPhone and radically less than anything that can be placed on a console).

If anything, the biggest concern with Facebook games is that Facebook itself doesn't make a whole lot of money out of games (it really needs to offer more services or acquire companies who offer services) that are used by Facebook game companies (virtual currencies, ad tools, etc.), but at least Facebook does seem to have a business model that can sustain the company.

Bigger market, lower barrier to entry, multiple business models... Facebook would seem to have the edge across the board.

R. Fahey (2009), "Social Animals", http://www.gamesindustry.biz/articles/social-animals_9

IEEE's May/June 2009 issue has a series of articles on game security... Unfortunately, most of the articles need to be purchased, but it also looks like virtually all of the material is available elsewhere (and I don't think a lot of it is new).

I'm not certain that the articles offer much for practitioners in the industry... the abstracts don't look very promising.

Competition is a big part of games... unfortunately, no one likes to lose. When you are playing face-to-face, your stuck taking your lumps, but online...

Just pull the plug.

Apparently, this is just what players are doing in THQ's otherwise well-received mixed martial arts fighting game UFC 2009. When they are down, players are simply disconnecting from the game to avoid a true defeat.

This is a serious, troubling problem in online competitive games and has to be managed through the leaderboards, ranking systems, and other "external games" outside of the game itself.

.. it is particularly troubling because it can happen by accident due to computer or network or power outages as well as by player action.

One new idea that occurs to me is for players to list a series of times that they will be available to play BEFORE they enter any competition. The matchmaking service looks for multiple time matches and, if the game is later abandoned, the player had better be able to make at least one of the "rematch" times or they are fully penalized with the loss (unless the players come to a mutual agreement to rematch).

The "Tournament Problem" is a major issue and I cover it at some length in Chapter 20 - Competition, Tournaments, Ranking Systems (And Their Abuse) of my book Protecting Games.

A. Chalk (2009), "UFC 2009 "Disconnect Cheat" Patch on the Way", http://www.escapistmagazine.com/news/view/92345-UFC-2009-Disconnect-Cheat-Patch-on-the-Way

UFC 2009 Undisputed (2009), "A Patch is in the Works", http://community.ufcundisputed.com/blog-post/patch-works

"Exploits" exist in most computer games. The high level of complexity in the games and the size of the game worlds make unintended game behaviors virtually inevitable.

In short, games are large, complex systems and problems are going to occur.

Most large software system developers use extensive logging during the testing and operations process to test (during development) and repair (during operations). The lack of software development maturity in segments of the game industry (with excuses including performance concerns, getting deployed quickly, etc.) has deprived many games of this most basic debugging tool... and at the same time unleashed endless exploits, gold farming, griefing, and other problems.

The poor stuckee for security for a lot of games job would be a whole lot easier if developers bothered to implement decent logging.

Turbine's Asheron's Call has apparently learned this lesson. An exploit was discovered which allowed players to get a high value item very easily (and repeatedly every 15 minutes). Oops.

Once discovered, the exploit was shut down and the players who took advantage of the bug were given 7-day suspensions.

While it is unclear of good logging and monitoring helped identify the exploit or fix it (which a good monitoring and analysis process should have done), extensive logging did allow Turbine to recover the game and take action against players who knowingly exploited the bug (we'll save the ban/suspension argument and who is responsible for exploits for another day).

Roberto (2009), "Asheron's Call: Exploiting Not a "Good Idea"", http://www.warcry.com/news/view/91740-Asherons-Call-Exploiting-Not-a-Good-Idea

Frelorn (2009), "Important Information regarding recent MFK Exploit", http://forums.ac.turbine.com/showthread.php?t=42472