Gary McGraw gave the talk “Breaking Online Games” at other conferences before, so this may be repeat material for some who have attended BlackHat or CSS in Washington earlier this year. (One difference is that apparently few security researches play World of Warcraft in the NDSS audience, neutralizing some of the gamer jokes.) At first the concept of cheating at online games seems out of place at a conference focused on fundamental security problems with a pragmatic bent: phishing, botnets, spyware, vulnerability research etc. But as McGraw pointed out there are two key observations making this topic very relevant:
1. MMORPGs foreshadow the future of massively distributed systems. World of Warcraft recently cracked 10M users (the slides had 8M, demonstrating how rapidly presentation material becomes outdated in this field) with up to half million online simultaneously.
2. There is real dollars at stake. Games like Linden’s Second Life– much smaller than WoW but far more visible in the media– have spawned a virtual economy that maps to transactions in the bricks-and-mortar economy complete with lawsuits. Even the devaluation of the dollar against foreign currencies such as the euro has a parallel in the going rate for gold coins. Cheating at online games then is about ill-gotten gains, a familiar theme for cybercrime.
The presentation itself was a broad overview of the security challenges in online games and stories of organized “exploit” opportunities it has given rise to, with references to the accompanying book. (There were also interesting digressions into eggregious EULAs, because it turns out World of Warcraft includes one to cover an ineffective anti-cheating solution that functions like spyware.) One implied conclusion is that designers for online games don’t in general grok the concept of security: traditionally it meant protecting the game against cracking and pirated distribution. The problem of contending with untrusted clients “outside the trust boundary” as McGraw puts it has not made it into the design philosophy.