PlayNoEvil - Game Security, IT Security, and Secure Game Design Services - Contact Us at ceo@secureplay.com

Making Anti-Piracy Pay - Rethinking DRM

ceo@secureplay.com (SecurePlay) — Mon, 23 Aug 2010 07:36:40 -0700

Digital Rights Management. Anti-Piracy. For legitimate players, these words send a shiver down their spine promising onerous registrations, re-install limitations, and annoying game play restrictions. For publishers, they are an elusive Holy Grail - promising additional revenues and punishing pirate players... but always in the next release or product.

If you've read my blog or bought my book, you know that I have been a very harsh critic of anti-piracy and DRM as I've often seen them as expensive and ineffective.

I'm here to change my position.

Somewhat.

Piracy is a real problem. It does cost revenue. For PC games, 80 percent of the total players of a game did not purchase the game. For console games, we just don't have good data, but console piracy has caused publishers to seriously alter their platform strategy.

My view of anti-piracy tech is colored by its business model and implementation strategy. Anti-piracy firms have usually gotten paid per copy printed or, at best, registered, and the "anti-piracy" policies seem to be focused on punishment.

When I speak on the topic, I've argued that when we are talking DRM we should be talking Digital Revenue Maximization.

At least one anti-piracy firm (alas unwilling to be named as yet) has actually used this strategy.

Their model is simple and should be irresistible for any game developer: they get paid only for pirated copies that convert to legitimate sales.

From a security perspective, this is brilliant. The security firm is rewarded for being effective in detecting pirated copies and not being circumvented.

Pirated copies simply become "Informally Distributed Demos".

From a business perspective, pirated copies become an additional market channel for their products with zero cost distribution and money coming in because of effective security.

The numbers that I was told were impressive. The return on investment was much, much higher for the security firm than they would get from charging their usual rate of between 5 and 50 cents per copy, even with a substantial revenue share back to the publisher.

There are a lot of devils in the details of this approach, and it does not address the customer's issues with draconian security systems directly, but it does make anti-piracy a credible part of a business strategy and, equally importantly, make anti-piracy systems a much more viable business. The nice thing is that even if the system is imperfect, the incentives are correct for everyone and partial hacks simply delay the point at which the player is offered the chance to make their usage legitimate.

Finally, it does answer the question that bedevils game developers:

What do you do when you detect a pirated game copy?

Offer to sell the Player the game, of course!

Blizzard's Battle.Net following Facebook into ID infamy?

ceo@secureplay.com (SecurePlay) — Tue, 29 Jun 2010 07:19:40 -0700

Where identity goes, trouble follows. Blizzard's Battle.Net has a new identity system, RealID, which is raising a number of security, privacy, and utility concerns as the company prepares to launch two of the most anticipated PC games in years - Starcraft II and Diablo III.

Blizzard's Battle.Net is one of the older(est?) gaming social networks built around some of the most popular PC games of the last decade: Warcraft III, Starcraft, and Diablo II. While I've not been made privy to the service's history, it seems to have grown up in a rather ad hoc fashion. With the impending launch of Starcraft II, Blizzard has redesigned the service and one of its key components is its new identity service - RealID.

Online identity is a tricky problem (I've written over 100 blog entries on the topic) and Jaime Skelton of MMORPG.com has written a great article discussing the issues with Blizzard's service.

The RealID service as currently implemented lacks many of the privacy controls that users have come to expect from a social network - it seems that friends cannot be grouped into different categories for privacy and that it is not possible to play somewhat anonymously (a tricky issue for an online service).

Email addresses are login IDs - a bad idea I've discussed before - and you are identified by your real name to your friends, even if you haven't given that information to them otherwise. While Blizzard has stated that "friends" should only be your "real" friends, the expectation of "friending" online acquaintances has become so accepted that Blizzard's implementation is bound to cause a fair amount of trouble.

There are also some COPPA and child protection issues raised by the service, even if it is not explicitly targeted at children (complying with COPPA is such a good, do-able business strategy, and a legal requirement, there is rarely a sensible reason for not implementing its features even if you don't target kids as customers).

There are a number of other privacy issues as well as security concerns that have been raised by RealID.

Identity services are a key customer service and a major customer service cost - their design and implementation requires careful engineering and thought.

J. Skelton (2010), "Player Perspectives: A Pain in the RealID", http://www.mmorpg.com/showFeature.cfm/loadFeature/4342/page/1

7-11 - the gateway to online gambling and skill games and online identity

ceo@secureplay.com (SecurePlay) — Mon, 28 Jun 2010 07:59:31 -0700

How are we going to solve online identity? Just stop by 7-11.

A number of years ago, I was involved in some discussions about age verification for online gambling. At that time, as with it is today, there are plenty of technology pushers around - trying to sell ID tokens, biometric systems, etc. etc. etc.

My answer was simpler - use convenience stores.

After all, these pervasive, local merchants are the gateway to adulthood.

They sell us alcohol, cigarettes, porn, and lottery tickets.

They are entrusted by the state to verify our identities and our ages.

It would seem New Hampshire has figured this out. The state is beginning to support online lottery games, but the sales are tied to the existing retail infrastructure as players need to go to a lottery retailer, buy a ticket with a unique number, and register online to play (and presumably reverse the process to cash out).

Simple and as secure as anything else anyone has proposed.

And only the beginning for online skill and gambling games.

Know anyone at 7-11?

"New lottery games: A small change", http://www.unionleader.com/article.aspx?headline=New+lottery+games%3A+A+small+change&articleId=0e853e6a-1924-40db-bb54-d78c944c7d79>

"State To Launch Online Gaming Website Next Week", http://www.wmur.com/news/24016014/detail.html

Sumo Scandal - 65 Wrestlers caught gambling illegally, losing Sponsors

ceo@secureplay.com (SecurePlay) — Tue, 22 Jun 2010 10:25:25 -0700

There's a Sumo scandal brewing in Japan. 65 wrestlers have admitted to gambling illegally on baseball. This is in the wake of recent assault and drug use accusations.

It kind of sounds like a US sport.

What is different is that sponsors are taking the accusation seriously. Nagatanien, a major sport sponsor, is canceling its sponsorship of the next major tournament and reviewing its entire involvement with Sumo, as are several other sponsoring firms.

There has been a growing wave of gambling problems tied to different sports. Ranging from the mostly benign (wagering on other sports - with the main concern being debt and involvement with "interesting" folk) to very serious accusations of match fixing and odds manipulation.

The global nature of sport and wagering is making this a problem both for legitimate wagering firms and for sports organizations.

N. Fujimura (2010), "Sumo Loses Biggest Sponsor Amid Gambling Scandal (Update1)", http://www.businessweek.com/news/2010-06-22/sumo-loses-biggest-sponsor-amid-gambling-scandal-update1-.html

CAUTION: Protecting Games on Kindle Device Only

ceo@secureplay.com (SecurePlay) — Mon, 21 Jun 2010 08:27:15 -0700

While I'm very pleased that my book, Protecting Games, is available on Amazon's Kindle, I did want to warn folk that it only works on the actual Kindle device, not on an iPad or other "Kindle application" platforms... at least so far.

I'll let you know if I hear anything further. I believe that this is a policy setting chosen by my publisher, not me.

NOTED: New R4i Cartridge to vex Nintendo

ceo@secureplay.com (SecurePlay) — Mon, 21 Jun 2010 08:32:59 -0700

The R4 cartridge, which allows regular SD cards to be used instead of Nintendo's proprietary cartridges, has been replaced by a new version that works with the Nintendo DSi. These cartridges are often used by pirates to download stolen games onto SD cards (used in cameras and cell phones) and then use them with the cartridge. There is an inherent "removable media" problem for console games that is very hard to stop.

It will be interesting to see what Nintendo does with its new 3DS cartridge to stop (or at least slow down) this problem.

"R4 SDHC Team Releases New v2.10T Card", http://www.prlog.org/10744119-r4-sdhc-team-releases-new-v210t-card.html

Skillful Play, Random Prize - The Case of Moxie Metro and Pace-O-Matic in New York

ceo@secureplay.com (SecurePlay) — Thu, 17 Jun 2010 07:12:07 -0700

Gambling is Easy, Skill is Hard. Proving that a game is a gambling game is pretty straightforward, but how do you prove that a game is NOT a gambling game, that it is a game of skill? This is an increasingly important question as traditional computer game companies, such as Virgin Gaming, try to take familiar computer games into the play for cash and prizes world and slot machine manufacturers look to skill games as a way to reach new audiences.

Such is the case with Pace-O-Matic's "Moxie Mania Empire Edition" game licensed by Moxie Metro in New York. The basic game is (perhaps) a skill game using a variant of Tic-Tac-Toe where a player finds the best cell to score of the 9 available. After a long and winding series of legal battles, the game was declared a gambling game because the court determined that the prize which could be won was determined by chance.

Thus, though the game would be considered to have a "positive expected value" for any skillful player, the prize amount was chance driven, thus the game was gambling.

To review, there are three elements to determine whether a game is a gambling game:

1. A payment or consideration to be able to play.
2. A prize or reward of actual value based on the game's outcome.
3. An element of chance in determining the game's outcome.

In this case, the chance solely drives the size of the prize, even with perfect play, thus, the game has an element of chance and is gambling.

It was an interesting move by Moxie Metro and Pace-O-Matic as perfect skill play will always have a positive outcome (so, no risk of losing funds), but the court ruled that this was not sufficient.

Solo skill games for money are, I think, at high legal risk for being determined a game of chance, or having no players, or losing money. In order to be popular, players need to think they can win (my "illusion of skill" argument), operators need to know that players aren't going to win (more than they spend), and all of this needs to be done with no element of chance to get into legal trouble.

VERY HARD, if not impossible from a game design perspective.

Conversely, I think the real potential is with multi-player games. Core mechanics such as Rock-Paper-Scissors, Battleship, checkers, etc. lend themselves to rapid play with no element of chance (RPS raises some problems for another day).

M. Webb (2010), "Court Ruling Says Moxie Mania Empire Edition Is Illegal", http://www.vendingtimes.com/ME2/dirmod.asp?sid=EB79A487112B48A296B38C81345C8C7F&nm=Vending+Features&type=Publishing&mod=Publications%3A%3AArticle&mid=8F3A7027421841978F18BE895F87F791&tier=4&id=90CB95AF28D8497A8B64067285D7171D

Moxie Metro web site, http://moxiemetro.com/index.php

Pace-O-Matic web site, http://www.paceomatic.com/index.html

Virgin Gaming Indeed - The Illusion of Skill Revisited (and cheating of course)

ceo@secureplay.com (SecurePlay) — Wed, 16 Jun 2010 07:27:23 -0700

Richard Branson has re-entered the game industry with a tournament game site, Virgin Gaming. The site is supposed to award $1 Million in prizes over the next 12 months and will use existing console games.

(If you've been to PlayNoEvil before, you'll know what's coming next)

First of all, I am a huge fan and fascinated by the potential of skill games as an online business. I think skill games and more advanced gambling games could be the drivers of a new industry.

However, you've got to design for the medium.

Without basic changes, I suspect Virgin Gaming will rapidly join the ranks of failed tournament services.

Pool of Players

Customers are key to a business and a tournament service relies on having many, many players so that the entry fees far outweigh the cost to operate and the prize pool. Most console games are HEAVILY SKILL driven. There are great players and then there are the rest of us. They know it. We know it. In pretty much any sports or FPS or other twitchy game, I know I've lost in the first couple of minutes. Ranking systems somewhat compensate for this, but as seen with Team Fortress 2 and most other online shooters, the best players dominate the game and everyone else quits.

The Illusion of Skill

A 'great' skill game is one where everyone thinks that they are above average. Poker has achieved this. The game is designed so that for virtually every hand there is a way to see to have won when you've lost. Poker is a study in brilliant player choice and information disclosure. The game is strategic, but simple and, because of chance,a player is likely to not go too long without a victory.

Game Duration / Game Sessions

A good tournament service needs to have lots of short game sessions so that players who've lost have a chance to re-enter the tournament or enter another event. If a game takes a long time to lose, players will abandon it rather than try again. Learning opportunities and feedback needs to be fast.

The Dark Side

While Virgin Gaming is using the Xbox Live and Playstation service, there is no strong identity in the system (both services now support pre-paid debit card players), so there is only a weak linkage between an account number and a person. Once a game is played for money, even if there was strong "account identity", there is very weak "player identity" - after all, I could bring in my "ringer" buddy to play on my behalf when real money is on the line.

... and then there is cheating (a problem even on console games).

... and then there is tournament abuse (manipulation of ranking and reputation systems).

... and, of course, the complicated legal issues for these games (skill games are not legal in all US states).

I discuss tournament and ranking abuse, cheating, and identity problems at some length in my book Protecting Games.

I'm looking forward to the day someone gets this right. It will be a true revolution in gaming.

"Virgin Gaming FairPlay Guarantee", http://virgingaming.com/fairplay.html?f=FTR_1F_001

O. Chiang (2010), "Richard Branson Launches Virgin Gaming, An Online Game Tournament Service", http://blogs.forbes.com/velocity/2010/06/15/richard-branson-launches-virgin-gaming-an-online-game-tournament-service/

Game Saves for Sale! Xploder sells Modern Warfare 2 game saves via Micro-transaction

ceo@secureplay.com (SecurePlay) — Tue, 15 Jun 2010 07:48:44 -0700

Micro-transactions are everywhere. Just as games are moving to the micro-transaction / free-to-play business model, Game cheats are doing the same. Xpolder is selling Modern Warfare 2 game saves for 79p so that players can "get unstuck" during game play and, of course, achieve all those achievements and badges they want without bothering to earn them.

This is a solvable problem. Game companies could/should really look at the security and integrity of the game save process (it has been the source of many console game hacks).

B. Parfitt (2010), "Xploder selling MW2 game saves", http://www.mcvuk.com/news/39284/Xploder-selling-MW2-game-saves

Virtual Goods Scams - Homicons, Polyicons, Synicons, and Homographic Accounts

ceo@secureplay.com (SecurePlay) — Mon, 14 Jun 2010 10:49:48 -0700

Scammers, scammers, everywhere. So much to steal, so little. Time. I was reading an interesting article about scams in Yoville and one category caught my eye as it is similar to an old World of Warcraft scam.

In each scam, there is a high value item that is quite similar in name and appearance to a much more common item. Players use the game's in-game trading system to trade for items, and the scammer basically works the system to offer and sell the common item in place of the rare item.

A bit abstract?

So, in Yoville, there is a rare Animated Pool Table which is virtually visually identical to a Green Pool Table... except the Animated Pool Table sells for 60,000 of the game's coins and the Green Pool Table for 2,000.

Virtually every game has the same problem as virtual goods are represented as rather small images with associated names. Scammers will take advantage of this limited visual and name pool to create their scams. These scams are going to only become more common as virtual items sales in Free-to-Play games and other micro transaction funded environments become more popular.

So, in honor of high school English, we have the following:

Homicons - distinct virtual items with identical (or near identitcal) visual representations and names.

Synicons - distinct virtual items with identical (or near identical) visual representations and different names.

Polyicons - distinct virtual items with different visual representations and similar names.

Depending on the trading and gifting systems used in a game, these different virtual item "near misses" can be used to launch scams.

An additional aspect to these scams can be "near miss" accounts which use "non-ASCII" letters in user names to spoof transactions. English speakers are particularly vulnerable in that they will visually ignore umlauts and other marks used in other European alphabets when reading text. A scammer can hide his or her identity by using these characters in their account name or create an account that is similar to a legitimate account for an account sale scam.

So, for example:

PlåyNöEvil vs. PlayNoEvil using the Danish Alphabet

"[Security] Scams, Hacks, Threats, and Fixes", http://www.yoinsider.com/archives/5475

30 Million Unity Player Installs

ceo@secureplay.com (SecurePlay) — Thu, 10 Jun 2010 07:44:59 -0700

Unity is one of the more exciting game engines available as it is powerful, easy to develop for, and more 3D friendly than Adobe's Flash. It is possible to either create a game as a stand alone executable or load a game through the company's player, making the game a "no download" experience comparable to Flash.

According to a press release from Unity Technologies, the player has been downloaded 30 million times.

I haven't seen browser penetration numbers for the player yet (anyone?), but this is a pretty good metric.

The closest number I have is that Adobe's Flash program manager stated that Flash had 18 million successful installs per day (out of 33 million downloads per day) in 2008 (WOOF!).

"Unity Technologies Celebrates Five Years of Continual Leadership and Innovation in Making Cutting Edge Game Technology", http://finance.yahoo.com/news/Unity-Technologies-Celebrates-iw-3659955691.html?x=0&.v=1

E. Huang (2008), "Two! Four! Six! Eight! Numbers we appreciate!", http://blogs.adobe.com/emmy/archives/statistics/

NOTED: UltimateBet Poker Cheating Scandal - Lots of Details and Speculation

ceo@secureplay.com (SecurePlay) — Wed, 09 Jun 2010 08:18:45 -0700

The UltimateBet / Absolute Poker online poker cheating scandal seems to have had little real impact on the regulation or perception of the online poker industry. In short, insiders associated with the poker site and the developer of its software used a program to read other players hole cards (hidden cards) and therefore have a huge advantage in game play. This "GodMode" was embedded into the game software very early in its development. It wsa not always used in the accounts which were used for cheating.

Haley's Poker Blog has an extended, extensive, ongoing series of articles on the story with a lot of interesting information and speculation about what happened.

The articles also should raise questions that should be considered by regulators of both online and traditional games that involve computers.

I hope someone is writing a book!

It is possible, and probably advisable, to redesign online gambling games so that it is not possible to abuse them in this manner.

"Just Conjecturin', Volume 17: The Real Story of the UltimateBet Refunds", http://haleyspokerblog.blogspot.com/2010/05/just-conjecturin-volume-17-real-story.html

"Just Conjecturin', Volume 12: The Absolute Scandal and the Day Occam Rolled Over in His Grave". http://haleyspokerblog.blogspot.com/2010/04/just-conjecturin-volume-12-absolute.html

and many more

NOTED: New Jersey considering legalizing Intrastate Internet Gambling

ceo@secureplay.com (SecurePlay) — Tue, 08 Jun 2010 05:00:51 -0700

A bill has been introduced to legalize intrastate Internet gambling in New Jersey. The proposed bill would allow currently licensed traditional casinos to set up web sites that could be used by New Jersey residents to bet online. Other discussions of this issue have suggested that interstate compacts between states that legalize gambling (similar to combined lottery pools) may be the way online gambling is legalized within most of the US (bills have been introduced in Florida and California as well).

The claim is that there are around 500,000 NJ residents who wager $150 million a year at offshore voting sites. (that's $300 each - not a huge amount considering this is likely counting each wager made).

A representative of Interactive Media Entertainment and Gaming Association claims that 1500 jobs and $200 million in revenue could be raised.

"Some N.J. lawmakers betting on the Internet for new casino game revenue", http://www.nj.com/business/index.ssf/2010/06/some_nj_lawmakers_betting_on_t.html

NOTED: Security Breach at Final Fantasy XI

ceo@secureplay.com (SecurePlay) — Mon, 07 Jun 2010 05:33:00 -0700

Square Enix is dealing with a security breach for its MMO Final Fantasy XI. Ir seems that players user names, passwords, and other registration information was disclosed. Based on the description, it looks like a login and registration server was compromised.

Important Notice Regarding your PlayOnline ID(s)

Thank you for your continued support of PlayOnline and FINAL FANTASY XI.

As a result of an attack on our computer network, there is a possibility that information pertaining to some users has been compromised including the PlayOnline ID, PlayOnline password and certain other details obtained during registration. We have taken measures as soon as the attack was detected, and have limited the potential breach of information.

If you have linked your PlayOnline ID to a Square Enix Account, your account will be safe due to the nature of the information possibly breached. Please be assured that sensitive information such as your credit card number has not been compromised.

To prevent any misuse from accounts potentially compromised during this incident, we have changed the PlayOnline password for all those affected. We will be sending the new PlayOnline password to you by regular mail to the address registered in our records. We apologize for the inconvenience, but you will be able to login to PlayOnline using this new password. We have also sent out details on how to reset your password through our Information Center to those with a valid e-mail address, during the early hours of June 4th.

Those who can still login to PlayOnline using their current password are unaffected by the contents of this e-mail.

Please note: Square Enix employees will not ask you for your PlayOnline password regarding this incident. Please remain vigilant of any phishing attempts disguised as correspondence from Square Enix.

Thank you for your understanding, and we again apologize for any inconvenience caused.

"Important Notice Regarding your PlayOnline ID(s)", http://www.playonline.com/ff11us/polnews/news19199.shtml

B. Ashcraft (2010), "Final Fantasy XI Accounts Compromised", http://kotaku.com/5555304/final-fantasy-xi-accounts-compromised

KEEPING SCORE: Poker is a Game of Luck in Switzerland, Ohio struggles with Skill Slots

ceo@secureplay.com (SecurePlay) — Thu, 03 Jun 2010 07:36:53 -0700

The Swiss Supreme Court has ruled that poker is a game of luck in Switzerland and can only be played in casinos.

Meanwhile, the Ohio House has introduced a bill to regulate "skill games" (mostly games similar to slot machines, but with some element of skill).

There are some interesting public policy questions implied by a game played for money that may need to be considered:

1. How do you prevent money laundering?
2. How do you handle addiction / problem gaming? Do you?
3. What age limits or verification are appropriate?
4. How do you ensure the integrity of the game, skill or luck?
5. How do you ensure the integrity of the game operator?
6. If there is a game machine or software, who validates its integrity?
7. What the __ is a game of skill and how do you "prove" that a game as implemented is actually a game of skill?

E. Engeler (2010), "Swiss crack down on Texas hold 'em matches", http://www.google.com/hostednews/ap/article/ALeqM5g49nVKzWWNq_7AJOjVIjuC34WBYQD9G348UG1

J. Nash (2010), "Ohio House tackles 'skill' games", http://www.dispatchpolitics.com/live/content/local_news/stories/2010/06/02/copy/house-tackles-skill-games.html?adsec=politics&sid=101

NOTED: Virgin gets into Tournament and Skill Games

ceo@secureplay.com (SecurePlay) — Wed, 02 Jun 2010 09:23:04 -0700

There are substantial rumors that Virgin / Virgin Gaming is getting into the the skill / tournament games business for money & prizes.

If so, this will be the most serious move by a larger company into the skill games business.

It looks like the early games being considered are conventional console games. While this may be good for yielding a larger number of games, these games were not designed for this environment. Cheating is a much bigger issue, of course, and the bigger the prizes and cash, the larger the incentives for abuse... and the very fact that the games are being played over a network also increases the risks.

J. Fletcher (2010), "Virgin Gaming to offer online game tournaments", http://www.joystiq.com/2010/06/01/virgin-gaming-to-offer-online-game-tournaments/

"Virgin Gaming - ModNation Racers - Tournament Details", http://virgingaming.com/modnation/details

NOTED: Namco Bandai backs Ubisoft's Continuous Connection Strategy

ceo@secureplay.com (SecurePlay) — Tue, 01 Jun 2010 10:21:15 -0700

Namco Bandai's CEO has come out in support of Ubisoft's Continuous Connection strategy for fighting game piracy.

The re-engagement of the game industry on the issue of piracy is interesting to note - last year, it looked like DRM was on its last legs and everyone was moving to very loose policies for their PC games. It could be the economic hard times for the industry has a whole or a re-emphasis on PC games (or the first move in abandoning PC games) by the major game publishers.

Of course PC games outside of the major publishers are in more than a bit of a renaissance. The vibrant MMO market, the up & coming social games market, and a growing range of indie games that are optimized for the PC, not to mention classic PC titles from Valve and Blizzard perhaps making the traditional game publishers rethink their PC game strategies.

B. Parfitt (2010), "Namco backs Ubisofts DRM", http://www.mcvuk.com/news/39196/Namco-backs-Ubisofts-DRM

Botnet Server found with 44 Million Game Credentials

ceo@secureplay.com (SecurePlay) — Fri, 28 May 2010 05:25:00 -0700

Just change your passwords.

Symantec found a server which appears to be a key part of a botnet which has harvested 44 million user names and passwords for online games:

World of Warcraft - 210.000
Aion - 60,000
PlayNC - 2 million (NCSoft's site-wide account)
Wayi Entertainment - 16 million

Symantec focused on an interesting feature of the botnet - it was used as an illicit cloud computing service to validate the quality of the stolen account information using a trojan program called Trojan.Loginck.

Ah, the Internet and its glorious features.

It was unclear how all of these identities were collected, probably via phishing or purchase.

Needless to say, this did represent a substantial dollar value in stolen accounts... millions and millions of dollars.

"44 Million Stolen Game Accounts Uncovered?", http://www.markeedragon.com/content.php/720-44-Million-Stolen-Game-Accounts-

E. Ward (2010), "44 Million Stolen Gaming Credentials Uncovered", http://www.symantec.com/connect/blogs/44-million-stolen-gaming-credentials-uncovered

Guild Wars bans more than 3700 for botting and cheating

ceo@secureplay.com (SecurePlay) — Thu, 27 May 2010 07:11:18 -0700

ArenaNet has made another move against botters and other cheaters by banning 3700 accounts. Banning is pretty unambiguous for Guild Wars as revenues come only from the game's initial sale as their is no subscription... so no further revenue to lose.

Gold farmers are a target, of course, but Player vs. Player bots are a real issue as competition is a major part of the Guild Wars online experience.

Fighting bots is an interesting problem. Most games rely on signature-based schemes (looking for certain processes and programs, just as anti-virus applications work). I've been fiddling around with some alternate approaches that battle bots more generically... a topic for another day.

ArenaNet has joined the tradition of "fun" deaths for bots:

The text of the notice to players:

This is an important day for Guild Wars.

Today we terminated more than 3,700 accounts for botting and match manipulation. In cases where guilds were found to be involved in these activities, the guilds were also disbanded. More than a dozen such guilds were disbanded and many others are under continued investigation. Todays actions are significant not simply because of their immediate impact but also because they represent a new era in enforcement for us.

As many of you know, Guild Wars has seen a significant increase in the number and sophistication of bots in recent months. Particularly visible were new types of bots used in PvP. As with any hacks or exploits, our primary concern is the potential negative impact on the experience of other players. To a varying degree, cheaters hurt other players by inflating the economy, devaluing hard-earned accomplishments, or annoying everyone with RMT chat spam to sell gold gained through botting, but cheating in PvP is especially odious because it so directly affects the play experience of others.
rest assured that bots of all different types can be identified. With our new commitment to bot detection, no hack is safe.
As anyone whos followed online gaming knows, bots and hacks are difficult to fully address. Every game of decent size works to keep the problem in check, but no single, absolute solution exists. Although our support team has worked for years to combat bots and actually bans accounts for botting every day, we realize the fruits of their efforts are not visible to players. Further, this new upswing in bot activity showed that our existing processes were not adequate to address the problem. Having made that determination, weve been working to improve things on several fronts: staffing, identification, detection, visibility, and enforcement.

On the staffing side of things, weve increased the number of people dealing with bots and brought in people with a wider range of skills and backgrounds in order to be able to tackle these problems in a more proactive and thorough way. For obvious reasons, we will not go into details about all of the changes, but this batch of account terminations was made possible by our staffing improvements.

Were now working more aggressively to identify hacks and potential exploits much more quickly. In addition to our efforts in house, were asking all of you to help us identify issues. Many of you have done so before on forums, but we will now provide a clearer way for you to get this information to us directly:

* Please report game abuse to support@guildwars.com using one of these exact subject lines: Botting, Match Manipulation, or Game Exploit. That will ensure the message is quickly routed to the right personnel and will expedite a review of the issue. You will be sent a confirmation that weve received your report, but in general we will not give out more detailed responses directly to individual players. In a situation like this, information is power. We maximize our ability to catch offenders if we operate in a confidential manner.

In order to deal with bots efficiently, we need strong methods of detection. Again for obvious reasons, we will not go into detail about anything weve done so far or anything we are planning for the future, but rest assured that bots of all different types can be identified. With our new commitment to bot detection, no hack is safe.

We know that the visibility of our actions is important to the Guild Wars community. While we were preparing for today, our Community and Support teams were not very vocal about these new bots. This was both because we did not want to tip our hand and also because we did not want to make promises that might ring hollow due to our lack of highly visible bot bans in the past. Moving forward, as with any security-related issue, we will not be able to talk about these matters with complete transparency, but we will look for opportunities to make clear to you our commitment to protecting the game from cheaters.

All of which bring us back to the beginning and to our strong enforcement of our policies against game abuse of any kind. Let me make this clear: We have no tolerance for using bots or hacks. Its cheating, it harms other players, and theres no excuse for it.

If you have any doubts about whether or not something is allowed by the User Agreement, dont do it.
We know that the approaches we used to determine this particular list of terminated accounts did not catch every single bot or hack out there, but we now have many tools and options at our disposal internally, and we have the Guild Wars community itself as a resource to help identify potential exploits. As with this current round of enforcement, we may ban users of a particular hack in batches in order to better disguise our methods, but there is no expiration date for breaches of the User Agreement or RoC. If you cheat today, your account may be terminated at any time in the future.

If you have any doubts about whether or not something is allowed by the User Agreement, dont do it. Dont take that risk. Account termination means losing not only everything youve built up in Guild Wars, but losing the ability to have those accomplishments recognized in Guild Wars 2. Let me give you a real example from today. Heres an actual account we just terminated: 2,469 hours, 38 titles, 913 plat, 268 ecto, Eternal Legendary Vanquisher monument, Mini Gwen, Chaos Gloves, Mallyxs Strife, The Holy Avenger, etc., etc. Its all gone now. Forever. You will not want that to happen to your account.

For those of you who raised concerns about this issue, were sorry it took as long as it did to put these changes in place. We should have been faster and more prepared. With your help, we will be more responsive in the future. We are listening, and we are ready to take action.

"Design Director James Phinney on the Recent Account Bans", http://www.arena.net/blog/design-director-james-phinney-on-the-recent-account-bans#more-2185

"[Updated] If you cheat in Guild Wars, Dhuum will kill you", http://www.massively.com/2010/05/26/if-you-cheat-in-guild-wars-dhuum-will-kill-you/

NOTED: Sony continues piracy fight on the PSP

ceo@secureplay.com (SecurePlay) — Wed, 26 May 2010 07:08:07 -0700

Sony's PSP has been a poster child for the problems of piracy. The handheld game platform continues to sell reasonably well (excluding the "Go" version), but publishers have avoided it. Sony has attempted to fight the worst piracy methods with operating system updates, but these seem to be circumvented almost as soon as they are released.

The operating system hacks allow a player to bypass any form of security that is added to a game much more easily.

Sony is now discussing some sort of "protective code" that can be embedded in a game that will help fight pirates. One strategy that might work is that the game could attempt to check to see if the console's operating system has been hacked (this would be limit Sony's ability to further update the operating system, though there could be some clever ways around this).

Other options would be to implement some sort of online registration, but this is not necessarily a given for most PSP games.

As always with the PSP, it should be interesting to watch.

A. Yoon (2010), "Sony offering PSP developers code to 'slow down' piracy", http://www.joystiq.com/2010/05/21/sony-offering-psp-developers-code-to-slow-down-piracy/

C. Nutt (2010), "The Sony Situation: SCEA's Rob Dyer Speaks", http://www.gamasutra.com/view/feature/4709/the_sony_situation_sceas_rob_.php?page=4

Piracy vs. Used Games - Charging for Online Play

ceo@secureplay.com (SecurePlay) — Tue, 25 May 2010 08:29:22 -0700

THQ and Ubisoft are apparently considering joining EA in their strategy to fight used games by charging for online play (EA's Online Pass requires a $10 fee to pay if the game is pre-purchased).

Of course the "Used Game" market has been fueled by the very same focus on consoles that virtually every major publisher has embraced - reducing the number of platforms that need to be supported and making the game play experience virtually an "instant on" proposition is good for development, good for a customer experience, and an enabler of easy used games.

Is the game industry fighting used games because it is possible?

In some sense, the rise of the "anti-used game" movement has corresponded with the rise of online play and value-added, post initial sales services. In the last generation of consoles, used games were not seen as a huge problem because there was nothing that COULD be done about them. Nintendo is still more focused on piracy than used game, perhaps because of its lack of focus on online services.

Certainly, the book industry, at least until very recently, had no real concern with the "Used Book" market, or even libraries, except as a peripheral argument.

In some sense, the used game market problem also corresponds to the relatively high prices paid for used games (compared to used books) and that the experience doesn't "deteriorate" (say, as with a "musty" used book).

Of course, locking out online play makes piracy worse as online services are one of the best ways to battle pirates by forcing game copies to be legitimate.

There are other anti-piracy and anti-used game strategies. Collectors editions can work. Ultra mega collectors editions that are true and truly limited editions create substantial additional value for modest cost. The problem with the collector edition strategy as implemented by most game companies is that the collector's editions are pretty cheap. They don't offer much of a perceived value and seem to be done without any passion.

I spent some time on the Nine Inch Nails' promotion strategy in my book Protecting Games as well as other collectors edition and promotional strategies. My sense is that different versions of a game can be used as a quite powerful anti-piracy and anti-used game service by creating real value for customers and real scarcity.

B. Dutka (2010), "More Publishers Looking To Charge For Online Play", http://www.psxextreme.com/ps3-news/7120.html

B. Parfitt (2010), "SCEA frustrated by pre-owned sales", http://www.mcvuk.com/news/39128/SCEA-frustrated-by-pre-owned-sales

Fighting Used Games with $10 DLC... perhaps?

ceo@secureplay.com (SecurePlay) — Thu, 20 May 2010 13:20:28 -0700

EA's "Project $10" was designed to fight used games by tying free online content to the initial purchaser via a one-use activation code. If you buy used, you'll have to pay $10 to get the same online content.

EA reported that over 70 percent of new game purchasers used the code while used game purchasers were only spending buying up at a "single digit" pace.

The real question is whether used game prices and sales have gone down... I guess we'll have to wait for GameStop's numbers.

You may want to have 2 activation codes:

One that gives each copy of a game a unique identity and another that is one-time use (perhaps).

In some very important sense, it is important to know how many times the same copy of a game gets activated. There should be rewards for this to encourage registration (or transferred game saves or some such). One could combine this information with used game prices to get an estimate of how many players are buying used or borrowing copies: basically, a capture, recapture system. Especially, if you can tag different registration numbers to different sales channels.

The second activation code would then work like the current "Project $10" code.

More to ponder here. Bill Harris over at Dubious Quality proposes a "2 use" code with an interesting argument.

Oh, and Ubisoft has jumped on the "Project $10" bandwagon. I hope EA filed a patent on it or something

Of course, the easy way to fight used games is to go back to selling PC games (or move into digital distribution and MMOs)... used games are pretty much purely an artifact of consoles.

K. Brice (2010), "EA: Project $10 saw over 70% of new buyers redeem code", http://www.gamesindustry.biz/articles/ea-project-USD10-saw-over-70-percent-of-new-purchasers-redeeming-codes

J. Batchelor (2010), "Ubisoft to join pre-owned assault?", http://www.mcvuk.com/news/39060/Ubisoft-to-join-pre-owned-assault

Martin Gardner - An Inspiration has Passed

ceo@secureplay.com (SecurePlay) — Mon, 24 May 2010 10:38:03 -0700

It was surprisingly sorrowful to learn yesterday that Martin Gardner died Saturday, 22 May, at age 95. Like many, many others, I was exposed to the joys of mathematics and serious study of games by his columns in Scientific American magazine when I was a teenager. His books (over 70) are still a magnet for impulse purchases whenever I am in a bookstore.

What a gift to share the joy of analytic thinking and playful mathematics and logic!

Farewell.

J. Randi (2010), "MY WORLD IS A LITTLE DARKER", http://www.randi.org/site/index.php/swift-blog/995-my-world-is-a-little-darker.html

"Scholars and Others Pay Tribute to "Mathematical Games" Columnist Martin Gardner", http://www.scientificamerican.com/article.cfm?id=scholars-and-others-pay-t

P. Yam (2010), "Profile: Martin Gardner, the Mathematical Gamester (1914-2010)", http://www.scientificamerican.com/article.cfm?id=profile-of-martin-gardner

Fighting Piracy with Taxpayer Dollars - 15 DOJ Attorneys and 20 FBI Agents

ceo@secureplay.com (SecurePlay) — Fri, 21 May 2010 08:39:29 -0700

Most anti-piracy measures are pretty expensive for a developer or publisher. You've got your DRM licenses, your customer support, the risk of bad reviews due to technical glitches or server outages.

There is another way however, get the government to handle anti-piracy for you. This may require some lobbying and campaign donations, but, once you get things rolling, you've got an anti-piracy system that will run for years and years.

The US FBI and Department of Justice are kicking up their enforcement of Intellectual Property laws with 15 Assistant US Attorneys and 20 FBI special agents who will be working around the country to fight IP crimes.

This won't be all about music, movies, and games, but will also address counterfeit physical goods like computer equipment, medicines, and car parts..

M. Cooney (2010), "FBI, DoJ suit-up 35 new agents; lawyers for intellectual property battle", http://www.networkworld.com/community/node/60517

via "Your Rights Online: FBI, DoJ Add 35 Positions For Intellectual Property Battle", http://yro.slashdot.org/story/10/04/26/1855210/FBI-DoJ-Add-35-Positions-For-Intellectual-Property-Battle

Skill Games Revisited Revisited - Titan Games gets $1M for Tournaments

ceo@secureplay.com (SecurePlay) — Wed, 19 May 2010 08:42:59 -0700

Is the third time the charm? the fifth? I can't even remember all of the times that skill games have been touted as the "next big thing"... and its already doing pretty well in Europe. I actually believe it, but I think its going to be harder than most realize, especially in the area of appropriate game design for skill games.

Why am I talking about skill games (again)?

Titan Gaming just received a $1 Million investment from a long list of folk for their Titan Platform.

There is depressingly little information about the platform and technology on their site. If anything, it looks like a commerce platform + leader board + GeoIP (though none of this is explained).

If you are pitching an API to developers and rev-shares to web site owners, thats great, but thats just the start.

You can't integrate an arbitrary game with an infrastructure and have a "skill game". There are legal requirements. You need to know how the game is going to behave to make an offer of a game for money.

(don't get me going on cheating in these games !)

The successful skill game companies to date build their own skill games and use traditional skill games as their foundation.

The key is potential population and a game that is like the people of Lake Wobegon - where "everyone is above average".

The repeated failed attempts at skill game services based on First Person Shooters is probably the most graphic proof of this.

Neither Doom nor Chess is a "good skill game" for a mass market service.

Poker is definitely a good model (if you believe its a game of skill).

At least it will be fun to see if this goes anywhere.

Maybe its time to dust off that old skill game business plan.

"Titan Gaming Raises $1M From Prominent Angels For Skill-Based Games Platform", http://eberbach.pl/blog/titan-gaming-raises-1m-from-prominent-angels-for-skill-based-games-platform/

"Titan - Conquer the Competition", http://www.titanplatform.com/index.php

Do Multi-Level Marketing & Pyramid Schemes come next for Social Gaming?

ceo@secureplay.com (SecurePlay) — Wed, 12 May 2010 05:47:00 -0700

Facebook has turned down the knob on the data feed from games... and social games are suffering. Virtually every game and game publisher has lost millions of players each of the past several weeks.

While games like Farmville and Mafia Wars are often described as "viral", it is pretty clear that most potential are immune or at least resistant to these games. Players only play if they are constantly reminded to keep playing by other players.

The games are not sticky, Facebook is.

Facebook does need social applications to maintain engagement and keep its customers on its site. It will be interesting to see whether Facebook opens the door again for these application feeds (perhaps under the control of an under-documented privacy feature).

Will this be enough for game developers or will they need to create actively viral games?

Is Amway coming to social gaming?

Multi-level marketing is certainly a proven business model. I've long wondered when it would hit online games. The loss of growth and even shrinkage that these social games have suffered would seem to imply a need for more drastic measures.

It would be fairly simple with games like Farmville to move from its existing "social engagement" model to a more virulent strategy using multi-level marketing. The more my friends play, the more loot I get. The more they pay, the more loot I get. Active messages initiated by players asking for their friends to help rather than data feeds can bypass the filters, and constraints, of any service like Facebook. After all, I can always send a message to whomever I want with a magic hyperlink embedded in it.

And, since there is no cash out model, more aggressive game creators will, no doubt, move past multi-level marketing and into pyramid schemes:

Subscribe to get better residual rates from your referrals.
Long, deep referral trees to reward players for insane levels of recruiting.
All sorts of virtual prizes for engagement and referral.

This should all be legal as the lack of cash out will keep these MLM games from being construed as illegal pyramid or Ponzi schemes.

The challenge will be to define the game mechanics in such a way that players can feel comfortable playing and joining at any time - limiting the benefits of early entry... though Farmville and Mafia Wars and others have done this already fairly well with independent play in a social milieu.

Multi-level social gaming, here we come.

Loukerner (2010), "User Loss Accelerates For Zynga", http://www.secondshares.com/2010/05/10/user-loss-accelerates-for-zynga/

E. Caoili (2010), "Facebook Games See User Dip As Notification Rules Change", http://www.gamasutra.com/view/news/28459/Facebook_Games_See_User_Dip_As_Notification_Rules_Change.php

11 Korean Professional Starcraft Players indicted for Game Fixing

ceo@secureplay.com (SecurePlay) — Mon, 17 May 2010 05:02:00 -0700

11 current and formal professional Starcraft players in Korea have been indicted for fixing games in a substantial scandal tied to gambling on the e-Sports.

Blizzard's Starcraft is amazingly popular in Korea and is the foundation of a thriving e-Sports movement with professional teams, sponsors and television coverage.

3 gambling web site operators were also indicted.

The investigation is widening and ongoing.

Park Si-soo (2010), "StarCraft players indicted for game fixing", http://www.koreatimes.co.kr/www/news/nation/2010/05/117_65996.html

NOTED: Everyone battles Sport Cheating

ceo@secureplay.com (SecurePlay) — Fri, 14 May 2010 05:37:00 -0700

An interesting alliance of the gambling industry and various sports organizations is at war with cheating in sports. The Internet has enabled sports wagering on an unprecedented scale. You can bet on any sporting event, pretty much anywhere on the planet.

It is an open invitation to fraud and money laundering.

The gambling industry is very concerned about crooked wagering manipulating the results and, of coruse, the various sports groups don't like their games being manipulated.

Players and teams are getting banned.

There have been allegations in soccer, tennis, and now snooker and horse racing.

This is only going to get worse. Online wagering has an insatiable appetite for action. More games. More races. More matches.

Smaller venues and local events will make it ever harder to fight corruption.

More to come.

B. Wilson (2010), "Sport and gambling united against cheating", http://news.bbc.co.uk/2/hi/business/10099724.stm

Poker - Skill or Chance in Colorado?

ceo@secureplay.com (SecurePlay) — Thu, 13 May 2010 05:35:00 -0700

The battle over whether poker is a game of skill vs. chance continues. This time, Colorado is the venue. A district court brought in an expert witness who judged poker a game of skill. An appellate court threw the testimony out as poker had been previously defined as a game of chance by law (in general, games of skill are not gambling in Colorado).

Finally, the state Supreme court would not hear the appeal, so poker stands as a game of chance.

"Poker Game of Chance or Skill Under Colorado Law?", http://frankfurt-trani.com/poker-game-of-chance-or-skill-under-colorado-law/

NOTED: Arxan enters the game security market

ceo@secureplay.com (SecurePlay) — Thu, 13 May 2010 05:19:00 -0700

Arxan, a company with a long history in anti-tamper technology for software, is moving into the game security market.

From the look of things, they have both data and code obfuscation technology.

Even if perfect (which is not possible), these techniques can only help with some game security problems.

For most online games, the real security of the system is in the architecture and controlling the game logic on the server - where obfuscation is not necessary.

For conventional anti-piracy, obfuscation is only part of the solution.

There is isn't a lot of information on Arxan's site, hopefully, there will be more data forthcoming.

"GuardIT Family of Products", http://www.arxan.com/software-protection-products/GuardIT/index.php

"Key Protection - TransformIT", http://www.arxan.com/software-protection-products/key-protection/index.php

"Secure Node-locking for Hardware Identification", http://www.arxan.com/software-protection-products/secure-node-locking/index.php

"Game Over for Hackers and Cheaters: Arxan to Demonstrate its Innovative Online Gaming Software Security Solution at LOGIN 2010 Conference", http://www.prweb.com/releases/2010/05/prweb3987204.htm

Terrible Crypto at the Cereus Poker Network - Ultimate Bet and Absolute Poker

ceo@secureplay.com (SecurePlay) — Tue, 11 May 2010 05:27:00 -0700

Crypto Shypto! Who cares that good cryptography is both free and relatively easy to implement?

A while back Ultimate Bet and Absolute Poker had a serious problem with a back door that certain players were using to cheat. It looks like the Cereus Poker Network, which now owns Ultimate Bet and Absolute Poker inherited some terrible network software which allows anyone with access to the link between the player and the poker server to read out your cards.

And your password.

The attack seems to have taken just a slight bit of effort to dump the network packet data in order to reconstruct the key.

Cereus is taking the attack seriously and working on a patch. They have not taken the service offline. Its a fair choice - the attacker would actually need to get onto the link between the player and the server.

The researchers recommend OpenSSL.

A Digression.

An interesting exploit to try with someone who uses something like OpenSSL would be to simply try to set up your own secure connection - either using another client or just trying to connect to see if the Public Key part of the infrastructure is tied into the application.

Don't write your own cryptographic software!

"PTR Security Alert: Cereus Poker Network", http://www.pokertableratings.com/blog/2010/05/ptr-security-alert-cereus-poker-network/

"PTR Security Advisory: Cereus Poker Network uses weak encryption", http://www.pokertableratings.com/blog/2010/05/ptr-security-advisory-cereus-poker-network-uses-weak-encryption/

"Cereus Poker Security Response", http://www.pokertableratings.com/blog/2010/05/cereus-poker-security-response/

via

"New Software Flaw for Absolute Poker and UltimateBet ", http://www.recentpoker.com/news/ap-ub-software-flaw-7101.html

Zynga vs. Facebook - Breakin Up is Hard On You

ceo@secureplay.com (SecurePlay) — Mon, 10 May 2010 05:58:00 -0700

Facebook needs games. They drive engagement and keep people on Facebook. Zynga needs a massive social network for its viral game strategy to work. So, it is only fitting that these two companies who could be successful partners are preparing to split.

First, Apple and Adobe, now Facebook & Zynga?

Facebook and Zynga are deeply interdependent. They need each other to succeed. Yes, if Zynga left, other games could conceivably grow to comparable popularity, but such game developers would always be looking over their shoulder to see if Facebook was becoming unhappy with their success as well.

The move of Facebook off of Facebook.com complicates the situations for both companies as this new Facebook channel may open up huge new game, business, and other opportunities for each.

The biggest sticking point seems to be Facebook's virtual currency which is apparently going to take a 30% haricut from anyone who uses it.. and that Facebook is forcing its Credits onto everyone who is using Facebook.

The real question is - what is the "price" for this marriage to stay together?

30% is too high. 5% will just cover costs, so the number is somewhere in between.

A typical "reseller" program would be around 20%... and that kind of number would make Zynga see Facebook as an outsourced payment service instead of a threat.

It will be interesting to see if the two companies can work things out. They do have much more to gain from working together.

M. Arrington (2010), "Zynga Gunning Up (And Lawyering Up) For War Against Facebook With Zynga Live",
http://techcrunch.com/2010/05/07/zynga-gunning-up-and-lawyering-up-for-war-against-facebook-with-zynga-live/#ixzz0nT9WZx2Q

Towards the perfect Botting Tool - Sikuli

ceo@secureplay.com (SecurePlay) — Tue, 04 May 2010 06:04:00 -0700

What would be the perfect botting tool? It would not be tied to a specific game, it would grab the screen information directly, and, ideally, it would have a visual programming environment.

A visual testing tool.

MIT students have come to help with the problem - Sikuli. Its a pretty nifty, open source GUI testing tool that I stumbled onto.

Its a pretty neat testing tool, at the very least.

"PROJECT SIKULI", http://groups.csail.mit.edu/uid/sikuli/

NOTED: Nexon MMO shopping spree

ceo@secureplay.com (SecurePlay) — Fri, 07 May 2010 05:21:00 -0700

Nexon has acquired two game companies this past week. First, NDoors, makers of Atlantica Online, and now GameHI, makers of Sudden Attack (a FPS MMO that is very popular in Korea).

D. Takahashi (2010), "Nexon in talks to acquire Korean online game developer GameHI", http://games.venturebeat.com/2010/05/06/nexon-in-talks-to-acquire-korean-online-game-developer-gamehi/

ONE MILLION DOLLARS for MLB 2K10 Perfect Game in 2 Months

ceo@secureplay.com (SecurePlay) — Thu, 06 May 2010 05:15:00 -0700

Take Two's MLB 2K10 console baseball simulation launched this year with a bit of an unusual promotion: The first player to pitch a perfect game (and record it), would win $1 Million.

The game launched on 2 March 2010 and a 23-year old, Wade McGilberry of Alabama, won the day the game launched.

He did it the 5th or 6th game that he played, in just an hour and a half.

Not surprising.

Historically, there has been 1 perfect game per decade - about 1 per 25,000 games.

Unless the product was going to totally bomb, there was no way it wasn't going to sell 25,000 copies pretty fast and those folks were probably going to play at least one game each.

There have been a number of subsequent perfect games.

I hope Take Two wasn't surprised.

It sure was a good promotion... according to Wade McGilberry:

"I think it's really good publicity," he said. "I wouldn't have bought the game if not for that."

B. Ortutay (2010), "23-year-old wins $1M playing baseball video game", http://news.yahoo.com/s/ap/20100505/ap_on_hi_te/us_tec_video_game_baseball_perfection

"ONE MILLION DOLLARS - MLB 2K10's Perfect? Game Promotion", http://playnoevil.com/serendipity/index.php?/archives/2833-ONE-MILLION-DOLLARS-MLB-2K10s-Perfect-Game-Promotion.html

Eve Online Invisibility Exploit

ceo@secureplay.com (SecurePlay) — Wed, 05 May 2010 05:59:00 -0700

This exploit is just kinda cool. In Eve Online, players find each other's ships with sensors.. and when they show up on the chat channel.

The exploit works by filtering out the chat channel network traffic magically making the exploiters disappear (or rather not appear) in the chat channel.

Why does the exploit work so easily?

Laziness, ultimately (or software reuse).

I'm not criticizing CCP for being lazy (too much), but for efficiently reusing existing software.

Almost certainly, the chat application uses a different IP port and is not really integrated with the rest of the game. This made it very easy to filter on the network using a router or firewall.

This is also why the fix was so easy. Basically, all that would be necessary would be for CCP to use the main game application to "force" all users into the chat channel rather than letting the chat client application manage the channel itself (the old "authoritative client" problem rises again).

It would be interesting to see how many other MMOs have a similar problem and if it can be exploited within their game systems and rules.

B. Strain (2010), "Hotfix deployed for EVE Online invisibility exploit", http://www.massively.com/2010/04/29/hotfix-deployed-for-eve-online-invisibility-exploit/

NOTED: Game Security Interview with Patrick Wyatt of En Masse on TERA

ceo@secureplay.com (SecurePlay) — Tue, 04 May 2010 05:59:00 -0700

TeraHispano.com has a good interview with Patrick Wyatt, COO of En Masse Entertainment, about game security and the company's plans for the TERA MMO. He briefly covers gold farming, griefing, and private servers.

"TeraHispano.com interviews En Masse ", http://www.terahispano.com/joomla/component/content/article/1-latest-news/177-02052010enmasseentrevista

Mortal Online threatening Hackers with Banning

ceo@secureplay.com (SecurePlay) — Mon, 03 May 2010 05:43:00 -0700

Mortal Online, another MMO with a cheating problem, is threatening to ban players using third party programs:

· New monitoring tools (anyone using any hacking program or similar not allowed third party program or tools will be instantly permanently banned, anyone altering or hacking game files in any way will be instantly permanently banned)

Last part first... there should be no reason that "anyone altering game files" should be a problem. In pretty much every MMO, this threat is a given and the game should be designed so that it doesn't matter. In fact, if you've got a problem with altering game files, you are definitely going to have problems with memory editors, like Cheat Engine.

As to the third party programs, the tools available have not done very well for other games.

And, with proper server design, once again, why, WHY, would the game have problems with third party programs... and why NOW in the game's development?

Maerlyn (2010), "Current Development (New Section)", http://www.mortalonline.com/forums/41028-current-development-new-section.html#post840061

via

K. Voecks (2010), "Mortal Online busting out tremendous banhammer on hackers", http://www.massively.com/2010/04/27/mortal-online-busting-out-tremendous-banhammer-on-hackers/

COPPA Review - Call for Comments - IMPORTANT

ceo@secureplay.com (SecurePlay) — Fri, 30 Apr 2010 05:54:00 -0700

COMMENT ON COPPA! COPPA, the Children's Online Privacy Protection Act is 10 years old and up for review. There are only a couple of comments so far. The issues raised by COPPA and worthy of participation from individuals and businesses.

COPPA has actually been a boon for businesses as it does provide a safe harbor for those who comply.

This matters! Participate!

There is a COPPA workshop on 2 June.

You can comment on what you want, but specific topics of interest include:

A. General Questions for Comment
1. Is there a continuing need for the
Rule as currently promulgated? Why or
why not?
a. Since the Rule was issued, have
changes in technology, industry, or
economic conditions affected the need
for or effectiveness of the Rule?
b. What are the aggregate costs and
benefits of the Rule?
c. Does the Rule include any
provisions not mandated by the Act that
are unnecessary or whose costs
outweigh their benefits? If so, which
ones and why?

2. What effect, if any, has the Rule
had on children, parents, or other
consumers?
a. Has the Rule benefited children,
parents, or other consumers? If so, how?
b. Has the Rule imposed any costs on
children, parents, or other consumers? If
so, what are these costs?
c. What changes, if any, should be
made to the Rule to increase its benefits,
consistent with the Acts requirements?
What costs would these changes
impose?

3. What impact, if any, has the Rule
had on operators?
a. Has the Rule provided benefits to
operators? If so, what are these benefits?
b. Has the Rule imposed costs on
operators, including costs of compliance
in time or monetary expenditures? If so,
what are these costs?
c. What changes, if any, should be
made to the Rule to reduce the costs
imposed on operators, consistent with
the Acts requirements? How would
these changes affect the Rules benefits?

4. How many small businesses are
subject to the Rule? What costs (types
and amounts) do small businesses incur
in complying with the Rule? How has
the Rule otherwise affected operators
that are small businesses? Have the
costs or benefits of the Rule changed
over time with respect to small
businesses? What regulatory
alternatives, if any, would decrease the
Rules burden on small businesses,
consistent with the Acts requirements?

5. Does the Rule overlap or conflict
with any other federal, state, or local
government laws or regulations? How
should these overlaps or conflicts be
resolved, consistent with the Acts
requirements?
a. Are there any unnecessary
regulatory burdens created by
overlapping jurisdiction? If so, what can
be done to ease the burdens, consistent
with the Acts requirements?
b. Are there any gaps where no
federal, state, or local government law
or regulation has addressed a
problematic practice relating to
childrens online privacy? Could or
should any such gaps be remedied by a
modification to the Rule?
B. Definitions

6. Do the definitions set forth in
§ 312.2 of the Rule accomplish COPPAs
goal of protecting childrens online
privacy and safety?

7. Are the definitions in § 312.2 clear
and appropriate? If not, how can they be
improved, consistent with the Acts
requirements?

8. Should the definitions of collects
or collection and/or disclosure be
modified in any way to take into
account online technologies and/or
Internet activities and features that have
emerged since the Rule was enacted or
that may emerge in the future? For
instance, how will the use of centralized
authentication methods (e.g., OpenId)
affect individual websites COPPA
compliance efforts?

9. The Rule considers personal
information to have been collected
where an operator enables children to
make personal information publicly
available through a chat room, message
board, or other means, except where the
operator deletes all individually
identifiable information from postings
by children before they are made public
and deletes such information from the
operators records.
a. Are there circumstances in which
an operator using an automated system
of review and/or posting meets the
deletion exception to the definition of
collection?
b. Does the Rules current definition
of delete provide sufficient guidance
to operators about how to handle the
removal of personal information?
10. Should the definition of
collection be modified or clarified to
include other means of collection of
personal information from children that
are not specifically enumerated in the
Rules current definition?

11. What are the implications for
COPPA enforcement raised by
technologies such as mobile
communications, interactive television,
interactive gaming, or other similar
interactive media, consistent with the
Acts definition of Internet?

12. The Rule defines personal
information as individually identifiable
information about an individual
collected online, and enumerates such
items of information. Do the items
currently enumerated as personal
information need to be clarified or
modified in any way, consistent with
the Act?

13. Section 1302(8)(F) of the Act
provides the Commission with
discretion to include in the definition of
personal information any identifier
that it determines would permit the
physical or online contacting of a
specific individual.
a. Do operators, including network
advertising companies, have the ability
to contact a specific individual, either
physically or online, using one or more
pieces of information collected from
children online, such as user or screen
names and/or passwords, zip code, date
of birth, gender, persistent IP addresses,
mobile geolocation information,
information collected in connection
with online behavioral advertising, or
other emerging categories of
information? Are operators using such
information to contact specific
individuals?
b. Should the definition of personal
information in the Rule be expanded to
include any such information?

14. Are providers of downloadable
software collecting information from
children that permits the physical or
online contacting of a specific
individual?

15. Should the Rule define the
physical or online contacting of a
specific individual, website, online
service, or any other term not currently
defined? If so, how should such terms
be defined, consistent with the Acts
requirements?

Request for Public Comment on the Federal Trade Commissions Implementation of the Childrens Online Privacy Protection Rule

# 339; Project No. P104503; 16 C.F.R. Part 312; Public Comment(s) on the Federal Trade Commissions Implementation of the Childrens Online Privacy Protection Act (COPPA) Through the Childrens Online Privacy Protection Rule (COPPA Rule)

Avatar Blu-ray Piracy Problem

ceo@secureplay.com (SecurePlay) — Thu, 29 Apr 2010 05:22:00 -0700

Avatar breaks another record with 200,000 pirate Blu-ray downloads in the first 4 days of its release.

So much for Blu-ray's anti-piracy characteristics...

Now, I'm sure the Blu-ray dudes will come out with some sort of fix for the hack.

But that won't do James Cameron any good.

B. Parfitt (2010), "Avatar most pirated Blu-ray ever", http://www.mcvuk.com/news/38742/Avatar-most-pirated-Blu-ray-ever

Account sharing on Sony's Playstation Network and Capcom's Final Fight

ceo@secureplay.com (SecurePlay) — Wed, 28 Apr 2010 05:38:00 -0700

Sony's Playstation Network is rather different from Microsoft's Xbox Live in that games are tied to an account instead of a console. PSN players can install a game on up to five consoles. Clever users are "timesharing" games using a single purchase to install games on five consoles and share the game... basically buying a game for 1/5th the price.

Capcom has added a layer of "DRM" to its PSN game, Final Fight. This retro game requires players to login with the account of the person who purchased the game originally in order to play and in order to login, the player has to be connected to the PSN.

So, Capcom is requiring the same continuous connection that is getting Ubisoft in trouble, but on a console instead of a PC.

Account sharing may also be a problem for other online services like Steam.

J. Fletcher (2010), "PS3 Final Fight: Double Impact requires PSN connection", http://www.joystiq.com/2010/04/21/ps3-final-fight-double-impact-requires-psn-connection/

via

" Final Fight Brings Restrictive DRM To the PS3", http://games.slashdot.org/story/10/04/23/0536246/Final-Fight-Brings-Restrictive-DRM-To-the-PS3

"Capcom's Response on the Final Fight DRM", http://boards.ign.com/ps3_general_board/b8267/191330467/p1/

Blizzard bans 320,000 accounts from Battle.net for cheating

ceo@secureplay.com (SecurePlay) — Thu, 22 Apr 2010 05:18:00 -0700

Blizzard banned 320,000 Warcraft III and Diablo II accounts for cheating, seemingly for using third party programs and exploits:

Weve recently banned over 320,000 Warcraft III and Diablo II accounts that were found to be violating the Battle.net Terms of Use. If this is a first offense, the CD key associated with the banned account will be suspended for 30 days, while repeat offenders will see their keys banned permanently. All account ban decisions are final.

We would like all players to remember that abuse of unintended mechanics and/or use of third party programs is a violation of the agreement made when signing on to Battle.net, and can subject your account to disciplinary action up to and including a permanent ban of its access to the service. These types of activities can severely impact the stability of our servers, and well continue to aggressively monitor Battle.net in order to protect the service and its players from the harmful effects of cheating.

Many account closures come as the direct result of tips emailed to our hacks team by legitimate Battle.net users. If you come across a hack, find a site responsible for distributing hacks, or have a replay of a newly available hack, please report this to our hacks team at hacks@blizzard.com or through our Hacks Report Form at http://us.blizzard.com/support/article.xml?locale=en_US&tag=hacksform

As always, thank you for your continued support, and we'll see you on Battle.net!

"Diablo II and Warcraft III Battle.net Bans", http://forums.battle.net/thread.html?topicId=24401612571&sid=3000

I wanna be an Indie MMO - Dofus and Runescape Thrive

ceo@secureplay.com (SecurePlay) — Wed, 21 Apr 2010 05:20:00 -0700

Its not bad to be an indie MMO. Dofus from Ankama Games just announced 3.5 million subscribers and 30 million registered users since launch in 2004. The subscribers pay 5 a month or $283 Million per year. The game has 250,000 peak concurrent users and is turn-based.

Wow.

This follows on the recent disclosure that Jagex games reported $58 Million in revenue in 2009 and $27 Million in profits for Runescape.

E. Caoili (2010), "Dofus Reaches 30 Million Registered Users, 3.5 Million Subscribers",
http://www.gamasutra.com/view/news/28171/Dofus_Reaches_30_Million_Registered_Users_35_Million_Subscribers.php

"Free doesnt work? Try telling that to Jagex making £38m from one free game, RuneScape", http://www.gamesbrief.com/2010/04/free-doesnt-work-try-telling-that-to-jagex-making-38m-from-one-free-game-runescape/

NOTED: Wagering on Street Fighter IV competitions in the UK

ceo@secureplay.com (SecurePlay) — Tue, 27 Apr 2010 05:41:00 -0700

Paddy Poker, a major retail and online bookmaker in the UK, has announced a service to allow "punters" to wager on Street Fighter IV competitions.

For the wagering firm, this is just another way to generate action. It will be interesting to see if they hook up with some television or web video service to stream the games online.

Few details are provided. It is unclear if the virtual fighters are going to get a piece of the action (as is done with horse and dog racing) or are paid a straight purse.

If this has any success, there will likely need to be much more serious regulation of these virtual sports as there will be the usual risks of fraud, collusion, etc. found in other sports with wagering.

Also, of course, will be the fun of other wagering firms leaching portions of the wagering pool - a problem that plagued the horse racing industry (though I haven't heard anything about it for a while).

Very interesting.

T.Pakinkis (2010), "First ever video game betting service announced", http://www.computerandvideogames.com/article.php?id=244172?cid=OTC-RSS&attr=CVG-News-RSS

via

L. Plunkett (2010), "Finally, We Can Bet Money On Street Fighter Matches", http://kotaku.com/5524380/finally-we-can-bet-money-on-street-fighter-matches

B. Ashcraft (2010), "I Can Kick Your Butt, Wanna Bet?", http://kotaku.com/5392538/i-can-kick-your-butt-wanna-bet

NCSoft anti-Power Leveling video for Aion

ceo@secureplay.com (SecurePlay) — Mon, 26 Apr 2010 05:07:00 -0700

Scott Jennings posted this video from his employer, NCSoft. A "public service announcement" warning users about the dangers of power-leveling in their new MMO, Aion.

Its entertaining and largely correct. From my understanding, power-leveling firms basically use a game's password recovery system to reclaim accounts, if they are not ethical.

They can use the accounts for spamming on behalf of gold farmers and, of course, loot the account after they've been paid to level it up.

I would say that the biggest flaw with the video is that it does not explain power-leveling well enough for "Mom" to understand and anyone who knows what power-leveling is probably knows what they are getting into.

I've got to say that the kid in the video must be stretching Aion's age limits, but I could not easily find an age limit on the Aion web site.

Oh, right...

Don't use power-leveling services!

S. Jennings (2010), "A Public Service Announcement From The People Who Give Me Money On A Regular Basis", http://brokentoys.org/2010/04/22/a-public-service-announcement-from-the-people-who-give-me-money-on-a-regular-basis/

Pink Floyd, Mozart, Beethoveen, Piracy, and the Future of Music

ceo@secureplay.com (SecurePlay) — Fri, 23 Apr 2010 05:23:00 -0700

Why are songs a couple of minutes long? It works on commercial radio. Why are albums 60 to 90 minutes? The LP from the late 1940s.

Classical music durations were based on concert performance needs, either for single works or assembled in a group in a program.

Pink Floyd just won a lawsuit against EMI for selling individual tracks from the group's albums in violation of their contracts.

Perhaps it is time for music creators and publishers to create music that is "built for iTunes" and sold to suit the current market (ring tones... shudder!).

iTunes doesn't sell symphonies broken up into movements.

Simply breaking albums into singles probably costs the music industry 30 percent or more in sales as most people only want a couple of songs at most.

How do we fight music piracy? The answer is to change the business model to recognize the nature of the market. Tactics such as those tried by Nine Inch Nails where versions of an album range from free to quite expensive limited editions.

Can changing the length of musical works affect sales? Should they be shorter? longer?

Should artists create affiliate relationships with their listeners or issue bonds as David Bowie did or even shares in the artist as a "creative corporation"? Or even futures as are being considered for movie box office receipts?

Should I get "frequent flier miles" for attending a concert or buying a song?

Fight the war, you have, not the one you want. Live in the market you have, not the one you want.

Stopping Data Mining in Online Poker - The Quixotic Quest

ceo@secureplay.com (SecurePlay) — Mon, 19 Apr 2010 05:05:00 -0700

Recently, a well-known online poker player was suspended for using data mining against another player. He had 20,000 hands of his own (!!) and downloaded an additional 30,000 hands (!!!) to uncover the weaknesses and habits of his foe.

He admitted doing this and was suspended for a while.

Virtually all online poker sites have rules against data mining using other players data. However, as noted, online poker hands are essentially public, so the data is widely available (along with slick analytic tools). One writer noted that analyzing other players hands is just like soccer players or football players looking at the video of their opponents previous games - the information is available to everyone and serious players/teams use what is available to improve their performance.

As a practical note, it is pretty much impossible to stop anyone from data mining in online poker. Its like card counting in online blackjack or poker. It is well nigh undetectable.

Essentially, online poker and other such games are essentially different from face-to-face games. Game operators and other players should recognize that they are very likely to be facing a person with computer aided tools for hand analysis and strategy... after all, the games are being played on a computer.

One can recognize these tools and make them part of the "legal" game or bury one's head in the sand that this isn't going on everyday by virtually everyone.

J. Rodriguez (2009),"Online Poker -- The Data Mining Dilemma", http://www.cardplayer.com/poker-news/8221-online-poker-the-data-mining-dilemma

R. McAdam (2010), "Online Poker Data Mining - The Pro Opinion II", http://www.cardplayer.com/poker-news/8911-online-poker-data-mining-the-pro-opinion-ii

Nintendo's war against R4 Piracy in Japan setback

ceo@secureplay.com (SecurePlay) — Tue, 20 Apr 2010 05:13:00 -0700

Retailers in Japan are selling the R4 data cartridge again. Nintendo has fought hard against the R4 as it allows a standard SD card to be used to store games (and piracy, of course). In Japan, they got the R4 cartridges outlawed.

EXCEPT

There is no penalty for selling the R4s, so no prosecutions.

J. Batchelor (2010), "JAPAN: R4 card returns to shelves", http://www.mcvuk.com/news/38484/JAPAN-R4-card-returns-to-shelves

China Online Game Operators offering kinda sorta Refunds

ceo@secureplay.com (SecurePlay) — Fri, 16 Apr 2010 05:46:00 -0700

Players in online games sometimes quit and leave money in their accounts. In the US, and, I suspect China, the people have rights to their money.

As a way to "cash out" these players, and, hopefully to bring them back to their games, several Chinese game companies, including Shanda and Giant Interactive are giving game currency, and in some cases cash, to these wayward players.

Ah, the joy of virtual currencies.

The free currency doesn't really cost the game companies anything, but does get players back involved. And the free cash, no doubt, will be more quickly (and generously) available as game currency and only eventually as cold currency.

"China Online Game Operators in Account Repurchase Frenzy", http://www.tradingmarkets.com/news/stock-alert/game_game_china-online-game-operators-in-account-repurchase-frenzy-913648.html

NCsoft selects Kount Anti-Fraud to protect its MMOs

ceo@secureplay.com (SecurePlay) — Thu, 15 Apr 2010 05:07:00 -0700

NCsoft has chosen Kount's fraud management solution, according to a press release. The company has a range of technologies including device fingerprinting and "proxy piercing" and the usual features: geo-location, and lots of "data streams", etc.

"Fraud is readily apparent in our industry, plaguing online game publishers worldwide," said Steve Levy, global director of NCsoft Publishing Operations. "The implementation of Kount helps us alleviate fraud, allowing us to provide a safe and secure gaming environment for our fans."

Proxy piercing sounds kind of cool. My guess is that their is a piece of code that "phones home" to the company or some such with a unique ID that matches up with information that the game server gets.

The service also automates review of purchases which may be the real driver for NCsoft... reducing operational costs..

"Kount Provides Fraud Control to Global Online Game Publisher NCsoft", http://www.prnewswire.com/news-releases/kount-provides-fraud-control-to-global-online-game-publisher-ncsoft-90603739.html