PlayNoEvil - Game Security, IT Security, and Secure Game Design Services - Contact Us at ceo@secureplay.com

Just change your passwords.

Symantec found a server which appears to be a key part of a botnet which has harvested 44 million user names and passwords for online games:

World of Warcraft - 210.000
Aion - 60,000
PlayNC - 2 million (NCSoft's site-wide account)
Wayi Entertainment - 16 million

Symantec focused on an interesting feature of the botnet - it was used as an illicit cloud computing service to validate the quality of the stolen account information using a trojan program called Trojan.Loginck.

Ah, the Internet and its glorious features.

It was unclear how all of these identities were collected, probably via phishing or purchase.

Needless to say, this did represent a substantial dollar value in stolen accounts... millions and millions of dollars.

"44 Million Stolen Game Accounts Uncovered?", http://www.markeedragon.com/content.php/720-44-Million-Stolen-Game-Accounts-

E. Ward (2010), "44 Million Stolen Gaming Credentials Uncovered", http://www.symantec.com/connect/blogs/44-million-stolen-gaming-credentials-uncovered

ArenaNet has made another move against botters and other cheaters by banning 3700 accounts. Banning is pretty unambiguous for Guild Wars as revenues come only from the game's initial sale as their is no subscription... so no further revenue to lose.

Gold farmers are a target, of course, but Player vs. Player bots are a real issue as competition is a major part of the Guild Wars online experience.

Fighting bots is an interesting problem. Most games rely on signature-based schemes (looking for certain processes and programs, just as anti-virus applications work). I've been fiddling around with some alternate approaches that battle bots more generically... a topic for another day.

ArenaNet has joined the tradition of "fun" deaths for bots:



The text of the notice to players:

This is an important day for Guild Wars.

Today we terminated more than 3,700 accounts for botting and match manipulation. In cases where guilds were found to be involved in these activities, the guilds were also disbanded. More than a dozen such guilds were disbanded and many others are under continued investigation. Today’s actions are significant not simply because of their immediate impact but also because they represent a new era in enforcement for us.

As many of you know, Guild Wars has seen a significant increase in the number and sophistication of bots in recent months. Particularly visible were new types of bots used in PvP. As with any hacks or exploits, our primary concern is the potential negative impact on the experience of other players. To a varying degree, cheaters hurt other players by inflating the economy, devaluing hard-earned accomplishments, or annoying everyone with RMT chat spam to sell gold gained through botting, but cheating in PvP is especially odious because it so directly affects the play experience of others.
“…rest assured that bots of all different types can be identified. With our new commitment to bot detection, no hack is safe.”
As anyone who’s followed online gaming knows, bots and hacks are difficult to fully address. Every game of decent size works to keep the problem in check, but no single, absolute solution exists. Although our support team has worked for years to combat bots and actually bans accounts for botting every day, we realize the fruits of their efforts are not visible to players. Further, this new upswing in bot activity showed that our existing processes were not adequate to address the problem. Having made that determination, we’ve been working to improve things on several fronts: staffing, identification, detection, visibility, and enforcement.

On the staffing side of things, we’ve increased the number of people dealing with bots and brought in people with a wider range of skills and backgrounds in order to be able to tackle these problems in a more proactive and thorough way. For obvious reasons, we will not go into details about all of the changes, but this batch of account terminations was made possible by our staffing improvements.

We’re now working more aggressively to identify hacks and potential exploits much more quickly. In addition to our efforts in house, we’re asking all of you to help us identify issues. Many of you have done so before on forums, but we will now provide a clearer way for you to get this information to us directly:

* Please report game abuse to support@guildwars.com using one of these exact subject lines: Botting, Match Manipulation, or Game Exploit. That will ensure the message is quickly routed to the right personnel and will expedite a review of the issue. You will be sent a confirmation that we’ve received your report, but in general we will not give out more detailed responses directly to individual players. In a situation like this, information is power. We maximize our ability to catch offenders if we operate in a confidential manner.

In order to deal with bots efficiently, we need strong methods of detection. Again for obvious reasons, we will not go into detail about anything we’ve done so far or anything we are planning for the future, but rest assured that bots of all different types can be identified. With our new commitment to bot detection, no hack is safe.

We know that the visibility of our actions is important to the Guild Wars community. While we were preparing for today, our Community and Support teams were not very vocal about these new bots. This was both because we did not want to tip our hand and also because we did not want to make promises that might ring hollow due to our lack of highly visible bot bans in the past. Moving forward, as with any security-related issue, we will not be able to talk about these matters with complete transparency, but we will look for opportunities to make clear to you our commitment to protecting the game from cheaters.

All of which bring us back to the beginning and to our strong enforcement of our policies against game abuse of any kind. Let me make this clear: We have no tolerance for using bots or hacks. It’s cheating, it harms other players, and there’s no excuse for it.

“If you have any doubts about whether or not something is allowed by the User Agreement, don’t do it.”
We know that the approaches we used to determine this particular list of terminated accounts did not catch every single bot or hack out there, but we now have many tools and options at our disposal internally, and we have the Guild Wars community itself as a resource to help identify potential exploits. As with this current round of enforcement, we may ban users of a particular hack in batches in order to better disguise our methods, but there is no expiration date for breaches of the User Agreement or RoC. If you cheat today, your account may be terminated at any time in the future.

If you have any doubts about whether or not something is allowed by the User Agreement, don’t do it. Don’t take that risk. Account termination means losing not only everything you’ve built up in Guild Wars, but losing the ability to have those accomplishments recognized in Guild Wars 2. Let me give you a real example from today. Here’s an actual account we just terminated: 2,469 hours, 38 titles, 913 plat, 268 ecto, Eternal Legendary Vanquisher monument, Mini Gwen, Chaos Gloves, Mallyx’s Strife, The Holy Avenger, etc., etc. It’s all gone now. Forever. You will not want that to happen to your account.

For those of you who raised concerns about this issue, we’re sorry it took as long as it did to put these changes in place. We should have been faster and more prepared. With your help, we will be more responsive in the future. We are listening, and we are ready to take action.

"Design Director James Phinney on the Recent Account Bans", http://www.arena.net/blog/design-director-james-phinney-on-the-recent-account-bans#more-2185

"[Updated] If you cheat in Guild Wars, Dhuum will kill you", http://www.massively.com/2010/05/26/if-you-cheat-in-guild-wars-dhuum-will-kill-you/

Sony's PSP has been a poster child for the problems of piracy. The handheld game platform continues to sell reasonably well (excluding the "Go" version), but publishers have avoided it. Sony has attempted to fight the worst piracy methods with operating system updates, but these seem to be circumvented almost as soon as they are released.

The operating system hacks allow a player to bypass any form of security that is added to a game much more easily.

Sony is now discussing some sort of "protective code" that can be embedded in a game that will help fight pirates. One strategy that might work is that the game could attempt to check to see if the console's operating system has been hacked (this would be limit Sony's ability to further update the operating system, though there could be some clever ways around this).

Other options would be to implement some sort of online registration, but this is not necessarily a given for most PSP games.

As always with the PSP, it should be interesting to watch.

A. Yoon (2010), "Sony offering PSP developers code to 'slow down' piracy", http://www.joystiq.com/2010/05/21/sony-offering-psp-developers-code-to-slow-down-piracy/

C. Nutt (2010), "The Sony Situation: SCEA's Rob Dyer Speaks", http://www.gamasutra.com/view/feature/4709/the_sony_situation_sceas_rob_.php?page=4

THQ and Ubisoft are apparently considering joining EA in their strategy to fight used games by charging for online play (EA's Online Pass requires a $10 fee to pay if the game is pre-purchased).

Of course the "Used Game" market has been fueled by the very same focus on consoles that virtually every major publisher has embraced - reducing the number of platforms that need to be supported and making the game play experience virtually an "instant on" proposition is good for development, good for a customer experience, and an enabler of easy used games.

Is the game industry fighting used games because it is possible?

In some sense, the rise of the "anti-used game" movement has corresponded with the rise of online play and value-added, post initial sales services. In the last generation of consoles, used games were not seen as a huge problem because there was nothing that COULD be done about them. Nintendo is still more focused on piracy than used game, perhaps because of its lack of focus on online services.

Certainly, the book industry, at least until very recently, had no real concern with the "Used Book" market, or even libraries, except as a peripheral argument.

In some sense, the used game market problem also corresponds to the relatively high prices paid for used games (compared to used books) and that the experience doesn't "deteriorate" (say, as with a "musty" used book).

Of course, locking out online play makes piracy worse as online services are one of the best ways to battle pirates by forcing game copies to be legitimate.

There are other anti-piracy and anti-used game strategies. Collectors editions can work. Ultra mega collectors editions that are true and truly limited editions create substantial additional value for modest cost. The problem with the collector edition strategy as implemented by most game companies is that the collector's editions are pretty cheap. They don't offer much of a perceived value and seem to be done without any passion.

I spent some time on the Nine Inch Nails' promotion strategy in my book Protecting Games as well as other collectors edition and promotional strategies. My sense is that different versions of a game can be used as a quite powerful anti-piracy and anti-used game service by creating real value for customers and real scarcity.



B. Dutka (2010), "More Publishers Looking To Charge For Online Play", http://www.psxextreme.com/ps3-news/7120.html

B. Parfitt (2010), "SCEA ‘frustrated’ by pre-owned sales", http://www.mcvuk.com/news/39128/SCEA-frustrated-by-pre-owned-sales

It was surprisingly sorrowful to learn yesterday that Martin Gardner died Saturday, 22 May, at age 95. Like many, many others, I was exposed to the joys of mathematics and serious study of games by his columns in Scientific American magazine when I was a teenager. His books (over 70) are still a magnet for impulse purchases whenever I am in a bookstore.

What a gift to share the joy of analytic thinking and playful mathematics and logic!

Farewell.

J. Randi (2010), "MY WORLD IS A LITTLE DARKER…", http://www.randi.org/site/index.php/swift-blog/995-my-world-is-a-little-darker.html

"Scholars and Others Pay Tribute to "Mathematical Games" Columnist Martin Gardner", http://www.scientificamerican.com/article.cfm?id=scholars-and-others-pay-t

P. Yam (2010), "Profile: Martin Gardner, the Mathematical Gamester (1914-2010)", http://www.scientificamerican.com/article.cfm?id=profile-of-martin-gardner

Most anti-piracy measures are pretty expensive for a developer or publisher. You've got your DRM licenses, your customer support, the risk of bad reviews due to technical glitches or server outages.

There is another way however, get the government to handle anti-piracy for you. This may require some lobbying and campaign donations, but, once you get things rolling, you've got an anti-piracy system that will run for years and years.

The US FBI and Department of Justice are kicking up their enforcement of Intellectual Property laws with 15 Assistant US Attorneys and 20 FBI special agents who will be working around the country to fight IP crimes.

This won't be all about music, movies, and games, but will also address counterfeit physical goods like computer equipment, medicines, and car parts..

M. Cooney (2010), "FBI, DoJ suit-up 35 new agents; lawyers for intellectual property battle", http://www.networkworld.com/community/node/60517

via "Your Rights Online: FBI, DoJ Add 35 Positions For Intellectual Property Battle", http://yro.slashdot.org/story/10/04/26/1855210/FBI-DoJ-Add-35-Positions-For-Intellectual-Property-Battle

EA's "Project $10" was designed to fight used games by tying free online content to the initial purchaser via a one-use activation code. If you buy used, you'll have to pay $10 to get the same online content.

EA reported that over 70 percent of new game purchasers used the code while used game purchasers were only spending buying up at a "single digit" pace.

The real question is whether used game prices and sales have gone down... I guess we'll have to wait for GameStop's numbers.

You may want to have 2 activation codes:

One that gives each copy of a game a unique identity and another that is one-time use (perhaps).

In some very important sense, it is important to know how many times the same copy of a game gets activated. There should be rewards for this to encourage registration (or transferred game saves or some such). One could combine this information with used game prices to get an estimate of how many players are buying used or borrowing copies: basically, a capture, recapture system. Especially, if you can tag different registration numbers to different sales channels.

The second activation code would then work like the current "Project $10" code.

More to ponder here. Bill Harris over at Dubious Quality proposes a "2 use" code with an interesting argument.

Oh, and Ubisoft has jumped on the "Project $10" bandwagon. I hope EA filed a patent on it or something

Of course, the easy way to fight used games is to go back to selling PC games (or move into digital distribution and MMOs)... used games are pretty much purely an artifact of consoles.

K. Brice (2010), "EA: Project $10 saw over 70% of new buyers redeem code", http://www.gamesindustry.biz/articles/ea-project-USD10-saw-over-70-percent-of-new-purchasers-redeeming-codes

J. Batchelor (2010), "Ubisoft to join pre-owned assault?", http://www.mcvuk.com/news/39060/Ubisoft-to-join-pre-owned-assault

Is the third time the charm? the fifth? I can't even remember all of the times that skill games have been touted as the "next big thing"... and its already doing pretty well in Europe. I actually believe it, but I think its going to be harder than most realize, especially in the area of appropriate game design for skill games.

Why am I talking about skill games (again)?

Titan Gaming just received a $1 Million investment from a long list of folk for their Titan Platform.

There is depressingly little information about the platform and technology on their site. If anything, it looks like a commerce platform + leader board + GeoIP (though none of this is explained).

If you are pitching an API to developers and rev-shares to web site owners, thats great, but thats just the start.

You can't integrate an arbitrary game with an infrastructure and have a "skill game". There are legal requirements. You need to know how the game is going to behave to make an offer of a game for money.

(don't get me going on cheating in these games !)

The successful skill game companies to date build their own skill games and use traditional skill games as their foundation.

The key is potential population and a game that is like the people of Lake Wobegon - where "everyone is above average".

The repeated failed attempts at skill game services based on First Person Shooters is probably the most graphic proof of this.

Neither Doom nor Chess is a "good skill game" for a mass market service.

Poker is definitely a good model (if you believe its a game of skill).

At least it will be fun to see if this goes anywhere.

Maybe its time to dust off that old skill game business plan.

"Titan Gaming Raises $1M From Prominent Angels For Skill-Based Games Platform", http://eberbach.pl/blog/titan-gaming-raises-1m-from-prominent-angels-for-skill-based-games-platform/

"Titan - Conquer the Competition", http://www.titanplatform.com/index.php

11 current and formal professional Starcraft players in Korea have been indicted for fixing games in a substantial scandal tied to gambling on the e-Sports.

Blizzard's Starcraft is amazingly popular in Korea and is the foundation of a thriving e-Sports movement with professional teams, sponsors and television coverage.

3 gambling web site operators were also indicted.

The investigation is widening and ongoing.

Park Si-soo (2010), "StarCraft players indicted for game fixing", http://www.koreatimes.co.kr/www/news/nation/2010/05/117_65996.html

An interesting alliance of the gambling industry and various sports organizations is at war with cheating in sports. The Internet has enabled sports wagering on an unprecedented scale. You can bet on any sporting event, pretty much anywhere on the planet.

It is an open invitation to fraud and money laundering.

The gambling industry is very concerned about crooked wagering manipulating the results and, of coruse, the various sports groups don't like their games being manipulated.

Players and teams are getting banned.

There have been allegations in soccer, tennis, and now snooker and horse racing.

This is only going to get worse. Online wagering has an insatiable appetite for action. More games. More races. More matches.

Smaller venues and local events will make it ever harder to fight corruption.

More to come.

B. Wilson (2010), "Sport and gambling united against cheating", http://news.bbc.co.uk/2/hi/business/10099724.stm