PlayNoEvil - Game Security, IT Security, and Secure Game Design Services

NOTED: FBI Pushing ISPs to retain user logs for 2 years

ceo@secureplay.com (SecurePlay) — Mon, 08 Feb 2010 05:51:00 -0800

The FBI is pushing ISPs to retain customer logs which would provide investigators with a list of all the sites that a customer has visited for a period of 2 years.

This is not really new (a bit surprisingly). Since at least 1986, phone companies have been required by regulation to retain customer call logs for 18 months.

Most cybercrime investigators support this initiative.

A lot of the information that is sought is not difficult to retain - source and destination IP addresses can easily be logged.

One piece of information that is a candidate for collection is the actual URL that a customer is visiting - something that would require deeper packet inspection than is easily done.

The data would require a subpoena to be retrieved... however, given the permissive access that has been given to cell phone and location information, it would not be surprising that this capability could be abused.

Of course, if law enforcement requires this data to be stored, it would not be surprising if other entities involved in a law suit to subpoena such information... LAWYERS????

D. McCullagh (2010), "FBI wants records kept of Web sites visited", http://news.cnet.com/8301-13578_3-10448060-38.html

via

"FBI Pushing For 2-Year Retention of Web Traffic Logs", http://yro.slashdot.org/story/10/02/05/2015205/FBI-Pushing-For-2-Year-Retention-of-Web-Traffic-Logs

XBox Live Arcade - Another Platform Not For Indies

ceo@secureplay.com (SecurePlay) — Fri, 05 Feb 2010 05:06:00 -0800

Stick with the PC, Indie! Xbox Live Arcade has seemingly joined the iPhone as yet another platform where indie developers cannot make money. Indies can thrive on Facebook, do pretty well with Flash, Unity, or old fashioned self-publishing.. but proprietary platforms just don't seem to be in the cards.

GamerBytes has an excellent analysis of Indie sales on Xbox Live Arcade (XBLA) and the top indie game earned $129,500.

Not very impressive. At least the top indie iPhone game developer has earned a fair chunk of change.

R. Langley (2010), "XBLA: In-Depth: Xbox Live Indie Games Sales For 2009, Plus Some Perspective", http://www.gamerbytes.com/2010/01/indepth_xbox_live_indie_games.php

2500 PlayNoEvil Blog Entries - SHAMELESS SELF-PROMOTION

ceo@secureplay.com (SecurePlay) — Thu, 04 Feb 2010 06:36:00 -0800

PlayNoEvil has just crossed 2500 blog entries since I started writing in the Fall of 2004.

Thank you all for reading. I'm looking forward to more comments and support in the years ahead.

I need a nap.

Choose Your DRM in Battlefield: Bad Company 2

ceo@secureplay.com (SecurePlay) — Thu, 04 Feb 2010 05:18:00 -0800

Don't like one form of DRM? Why not choose another.

There is much wailing and gnashing of teeth about onerous digital rights management (DRM) systems. Electronic Arts (EA) has taken an interesting approach with its new game, Battlefield: Bad Company 2. Instead of giving players just one DRM option, the company gives 2 - either always use your disk as a key or authenticate online once and only once (digital downloads don't have a disk, so they don't have the disk option).

This gives an option for players who have difficulty with Internet access (notebooks, and those behind firewalls - a common problem in the military).

Technically, a game company could give more options - email, a fax, or toll call to activate the game's license.

The more ways to activate, the better for your customers.

Otherwise, the service is pretty generous - allowing players to install the game on up to 11 machines at one time.

Its an interesting approach and pretty clearly aimed at focusing its efforts on serious torrent-type pirates, rather than casual ones.

One suggestion: if the game supports multi-player, don't allow a player to "play with himself" so that friends will be encouraged to buy legitimate copies rather than simply share one.

Of course, this approach only works if the DRM system itself is effective. If not, it seems hardly worth the trouble.

S. Ridgeley (2010), "Battlefield: Bad Company 2 DRM is revolutionary, sensible", http://www.neoseeker.com/news/13005-battlefield-bad-company-2-drm-is-revolutionary-sensible/

Verified by Visa Vulnerability of Convenience

ceo@secureplay.com (SecurePlay) — Wed, 03 Feb 2010 05:28:00 -0800

Verified by Visa and MasterCard SecureCode are based on a system called 3D Secure which, in short, generates a one-time credit card number for a specific transaction after you enter your authentication information at Visa or MasterCard.

So far, so good.

Except.

In everyone's zeal to make the system easy to use, they chose to embed the login at the host/merchant site... a little block of HTML, just like a web ad.

Which causes the problem.

A hacker who wants to phish for user authentication information simply creates a fake merchant page (or hacks a merchant site) and places a unVerified by Visa block on the page... which intercepts the username/password data and, if done properly, still completes the transaction.

... and the crook goes rolling along.

If the page was a simple link instead of an embedded code block, a customer could look at the page URL and find that it has nothing to do with Visa or MasterCard, but is a scam.

There has been no change to either service in response to these attacks... there are probably lower hanging fruit for crooks.

There are more secure systems, but they are more complicated and so won't increase transaction volume as easily as these services. Since merchants tend to pick up most of the costs of fraud, there is little incentive for the credit card industry to do anything about fraud... businesses & consumers pay while the credit card industry watches the profitable transactions pile up.

J. Kirk (2010), "3D Secure online payment system not secure, researchers say", http://www.pcworld.idg.com.au/article/334105