PROTECTING GAMES: A SECURITY HANDBOOK FOR GAME DEVELOPERS AND PUBLISHERS STEVEN B. DAVIS
Charles River Media A part of Course Technology, Cengage Learning
Australia, Brazil, Japan, Korea, Mexico, Singapore, Spain, United Kingdom, United States
PROTECTING GAMES: A SECURITY HANDBOOK
© 2008 IT GlobalSecure, Inc.
FOR GAME DEVELOPERS AND PUBLISHERS
STEVEN B. DAVIS Publisher and General Manager, Course Technology PTR: Stacy L. Hiquet Associate Director of Marketing: Sarah Panella Manager of Editorial Services: Heather Talbot
ALL RIGHTS RESERVED. No part of this work covered by the copyright herein may be reproduced, transmitted, stored, or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the publisher.
Marketing Manager: Jordan Casey Senior Acquisitions Editor: Emi Smith Project/Copy Editor: Kezia Endsley PTR Editorial Services Coordinator: Jen Blaney Interior Layout: Shawn Morningstar Cover Designer: Mike Tanamachi
For product information and technology assistance, contact us at Cengage Learning Customer and Sales Support, 1-800-354-9706 For permission to use material from this text or product, submit all requests online at cengage.com/permissions Further permissions questions can be emailed to
[email protected] Indexer: Valerie Haynes Perry Proofreader: Ruth Saavedra The information contained in this publication is not intended to convey or constitute legal advice on any subject matter. Readers should not rely on the information presented in this publication for any purpose without seeking the legal advice on the specific facts and circumstances at issue from a licensed attorney. Readers should not consider the information presented in this publication to be an invitation for an attorney-client relationship, and providing the information in this publication is not intended to create an attorney-client relationship between you and any author or contributor to this publication. The information in this publication contains general information that is intended, but cannot be guaranteed, to be always up-to-date, complete and accurate. Any representation or warranty that might be otherwise implied is expressly disclaimed. The authors and contributors expressly disclaim all liability or responsibility in respect to actions taken or not taken based on any or all of the information contained in this publication.
Material in this book may include discussion regarding issues reported in the public media and public legal system regarding services, products, and other material that may be subject to laws granting copyright protection. These issues are discussed for illustrative purposes only and the facts presented are limited to that purpose. Those wishing to seek further information about any illustrative point discussed are encouraged to engage further research. All trademarks are the property of their respective owners. Library of Congress Control Number: 2008932480 ISBN-13: 978-1-58450-670-6 ISBN-10: 1-58450-670-9 eISBN-10: 1-58450-687-3 Course Technology, a part of Cengage Learning 20 Channel Center Street Boston, MA 02210 USA Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at: international.cengage.com/region Cengage Learning products are represented in Canada by Nelson Education, Ltd.
Printed in the United States of America 1 2 3 4 5 6 7 12 11 10 09
For your lifelong learning solutions, visit courseptr.com Visit our corporate website at cengage.com
For my parents, sisters, family, friends, teachers, and colleagues. Thank you for your patience.
Acknowledgments
irst, I would like to thank Emi Smith, Kezia Endsley, and the team at Cengage Learning for taking the chance to publish a book on game security.
F
Thank you to my readers at PlayNoEvil.com who, through their interest and engagement, have sustained me through the past several years. Thank you to Cheryl Campbell, my great friend and business partner for over 10 years at IT GlobalSecure and also my tireless editor. A special thank you to Joseph Price and Marcus Eikenberry, for their contributions to this book. Thank you to Adam Martin, Pierre Laliberte, Alexandre Major, Marc-André Hamelin, and the other industry professionals who provided invaluable editorial input to the book. Thank you to Richard Davis and Eleanor Lewis for their editorial help. Thank you to my teachers, mentors, friends, and colleagues at the National Security Agency (especially my coworkers in R56, V6, and C7) who instilled in me a passion for the security field and an appreciation for how security “fits” in to the rest of the world. Specifically, Mark U., Brian S., Tim W., Bill M., Cecil S., Sid G., Tanina G., Bill U., Nancy G., Jim A., Ed G., Ed D., Robert W., Bob D., and many others. Finally, thank you to the game industry and gaming industry professionals who have welcomed a strange “security guy” into their midst. Although many people have contributed, the final responsibility for the form, style, content, and everything else related to this work is ultimately mine.
iv
About the Author
Steven Davis has over 22 years of IT and IT security expertise and has focused on the security issues of the gaming industry for more than a decade. He advises game companies, governments, and regulators around the world. Mr. Davis has written numerous papers and speaks at conferences on all aspects of game security. He is the author of the game security and industry blog, PlayNoEvil (http://www. playnoevil.com/). Mr. Davis has international patents on game security and IT security techniques, most notably the anti-cheating protocols that underlie the SecurePlay (http://www.secureplay.com) anti-cheating library. He has designed several games, including DiceHoldem (http://www.diceholdem.com), and acts as a design consultant. He is the CEO of IT GlobalSecure (http://www.itglobalsecure.com), which develops game security products and provides game security, IT security, and game design and evaluation services. Mr. Davis’ experience includes security leadership positions at the U.S. National Security Agency (NSA), CSC, Bell Atlantic (now Verizon), and SAIC. He has extensive cryptographic and key management design experience, including work on Nuclear Command and Control systems, the Electronic Key Management System, and numerous other commercial and government projects. Mr. Davis has a BA in Mathematics from UC Berkeley and a Masters Degree in Security Policy Studies from George Washington University.
v
About the Contributors
Joseph Price is an Associate in the Antitrust and Telecommunications practice groups at Kelley Drye & Warren LLP, with a track record of successfully representing companies in strategic mergers and acquisitions, and is especially adept at working with companies to structure transactions and achieve business goals with competition and antitrust issues. With a particular expertise on counseling companies in regulated industries, Mr. Price has helped clients protect interests threatened by consolidation in the communications industry. He has obtained FTC and DOJ Antitrust Division clearance on numerous transactions, and provides Hart-Scott-Rodino Premerger Notification counseling, preparation, and filing on behalf of many clients, including technologyrelated entities, equity funds, investment funds, and targets of investments. Mr. Price represents clients in public and nonpublic DOJ and FTC investigations and has served as counsel in public and nonpublic FBI, FCC, and State Attorneys General investigations and enforcement matters, including formal and informal administrative complaint proceedings. Mr. Price also provides a full range of legal services for clients that provide technology and broadband services. He works to assist clients achieve business goals, whether they involve access to cutting-edge technologies, growth of market share, product development, or expansion of distribution channels. Mr. Price speaks and writes frequently on antitrust, technology, media, telecommunications, and network security subjects, including the Communications Assistance for Law Enforcement Act (CALEA). His analyses have been quoted in a variety of publications, including Wired, BoardWatch, and Light Reading. Previously, Mr. Price served as a law clerk to Judge Edwin H. Stern of the New Jersey Appellate Division. While earning his J.D. at Catholic University, he served as Editor-in-Chief of the law journal, CommLaw Conspectus: Journal of Communications Law and Policy, and received an advanced certificate from the Communications Law Institute. vi
About the Contributors
vii
Marcus Eikenberry is a serial entrepreneur. He makes his living dealing in intangible goods and services within online video games. His companies sell huge volumes of game registration codes and game time codes as well as providing anti-fraud solutions for other sellers within these online gaming markets. Back in 1990 when the Internet was just for universities and the government, Mr. Eikenberry was doing computer hardware sales to the public. Fraud was very rare and not something that needed much attention. In 1993 when Mosaic hit the public, he attempted to start doing business on the web. In 1994, he published computer hardware sales sheets and started doing mail order sales. Because he didn’t like dealing with physical products, he looked for other products to sell that did not require shipping. In December of 1997, he found the perfect item to sell: intangible goods within online video games. Marcus is a pioneer of sales of these intangible video game items and services. Today, Mr. Eikenberry owns Markee Dragon Inc., which includes several companies, including: TrustWho (www.TrustWho.com)—Anti-fraud services providing transaction processing and payment verification for companies experiencing high fraud rates. Markee Dragon (www.MarkeeDragon.com)—The largest site in the world for the buying, selling, and trading of online game accounts. It is estimated that over 2.5 million dollars worth of accounts and services trade hands in this site’s forums monthly without any charges to the members. Shattered Crystal (www.ShatteredCrystal.com)—Where new game codes, upgrades, and game time have been sold to several hundred thousand satisfied customers since 2002.
Contents
Introduction
xv
The Protection Game
1
1
Game Security Overview What Is Game Security? References
2 3 5
2
Thinking Game Protection Independence Lazy, Cheap, or Stupid Threats, Vulnerabilities, and Risk Beyond Protect, Detect, React Asymmetric Warfare Process, Testing, Tools, and Techniques Second Grader Security References
Part I
Part II
viii
6 7 8 12 13 15 17 19 20
Piracy and Used Games
21
3
Overview of Piracy and Used Games
22
4
The State of Piracy and Anti-Piracy Determining the Scope of Piracy Trusted Brand Security: Nintendo and ADV Anti-Piracy Innovators: Nine Inch Nails and Disney Going Forward References
23 24 28 29 30 31
5
Distribution Piracy Preventing Duplication Detecting Duplication Collectables, Feelies, and Other Stuff Disk as Key License Keys
32 32 33 34 34 35
Contents
ix
Splitting and Key Storage Busted Pirate: Now What? References
39 42 43
6
DRM, Licensing, Policies, and Region Coding The Basics of DRM Why DRM Doesn’t Work Types of DRM Systems License Policy References
44 44 45 46 51 54
7
Console Piracy, Used Games, and Pricing Attacking Consoles The Used Games Market Pricing Pirates Out of Business References Server Piracy Trends
55 55 60 62 65 66
8
Server Piracy Authenticating the Server References
66 70 74
9
Other Strategies, Tactics, and Thoughts Measuring Piracy Fighting Pirate Networks Multi-Player Gaming Rich Interaction System Digital Affiliate System Playing with Secure Digital Distribution References
75 75 76 79 79 84 87 91
10
Anti-Piracy Bill of Rights Basic Fair Use Principles Registration Options Installation Options Connection Options References
92 93 94 95 95 96
11
The Piracy Tipping Point Determining the Goal of Anti-Piracy Policies References
97 97 99
x
Contents
Part III
Cheating
101
12
Overview of Cheating
102
13
Cheating 101 Cheating and the Game Industry Fair Play Cheat Codes The CARRDS Reference Model The Remote Data Problem Security, Trust, and Server Architectures Random Events Player Collusion Business Models and Security Problems References
103 103 105 106 110 111 121 125 127 129 131
14
App Attacks: State, Data, Asset, and Code Vulnerabilities and Countermeasures Memory Editors, Radar, and ESP Data Obfuscators Code Hacks and DLL Injection Blind Security Functions, Code Obfuscators, and Anti-Tamper Software Design Save Game Attacks, Wallhacks, and Bobbleheads Secure Loader and Blind Authentication References
132 132 134 137 139 141 142 145
15
Bots and Player Aids Is It “Help” or Is It Cheating? CAPTCHAs: Distinguishing Players from Programs Cheat Detection Systems References
146 146 149 150 154
16
Network Attacks: Timing Attacks, Standbying, Bridging, and Race Conditions ACID, Dupes, and SQL Attacks Defensive Proxies Hacker Proxies Thinking About Network Time: Act, But Verify Securing Time References
155 155 157 158 163 165 165
Contents
xi
17
Game Design and Security 166 Design Exploits 166 Collusion 167 Trivia Games 167 Word, Number, and Puzzle Games 169 Algorithmic Games, Physics Flaws, and Predictable Behavior 170 Speed, Twitch, Timing, and Pixel Precision 173 Strong and Dominant Strategies and Deep Game Play 175 Power of People: Rock-Paper-Scissors, Poker, and the World of Psychology 175 Game Play Patterns: Combat Devolved 176 Designing for the Medium 179 References 179
18
Case Study: High-Score Security Cheating in High-Score Games Encryption, Digital Signatures, and Hash Functions Client-Server Option Randomly Seeded Client Alternative High-Score Strategies Puzzles, Skill-Based Games, and Other Deterministic Games Inappropriate Player Handles Summary References
181 181 182 184 184 185 186 187 187 187
Part IV
Social Subversion: From Griefing to Gold Farming and Beyond with Game Service Attacks
189
19
Overview of Social Subversion
190
20
Competition, Tournaments, and Ranking Systems (and Their Abuse) 192 Understanding Tournaments and Ranking Systems 192 Lobby Attacks 195 Syndicates and Bots 197 Tournament and Ladder Game Play Attacks 197 Abandonment: The “Game Over” Game 199 Game Operator Problems 201 Identity Problems 202 Countermeasures 204 Retrofitting Games for Tournaments and Skill Games 206 Summary 206 Resources 207
xii
Contents
21
Griefing and Spam Communications Griefing and Spam Game Play Griefing User-Created Content Liability and Business Risk References
209 210 215 217 218 221
22
Game Commerce: Virtual Items, Real Money Transactions, Gold Farming, Escorting, and Power-Leveling Amusement Park Economics Alternative Models On Virtual Items Gold Farming Gold Frauders, Online Thieves, and Insiders Potential Solutions Power-Leveling Escort Services, Subletting, and Virtual Prostitution Summary References
223 226 227 228 230 236 238 239 240 240 241
To Ban or Not To Ban? Punishing Wayward Players Crime, Credibility, and Punishment The Cost of Punishment: Who’s Being Punished? Possible Punishments and Credible Deterrence Summary References
243 243 244 245 248 249
The Real World
251
24
Welcome to the Real World
252
25
Insider Issues: Code Theft, Data Disclosure, and Fraud Code Theft and Other Data Disclosures Office IT Infrastructure Insider Fraud Playing Your Own Game Privileging and Isolation References
254 255 258 259 260 262 265
26
Partner Problems Contracting Security? Security Accountability in Third-Party Development Security Accountability in Third-Party Licensing Service Provider and Partner Security Issues
266 266 267 268 270
23
Part V
Contents
Community and Fan Sites References
xiii 273 274
27
Money: Real Transactions, Real Risks Payment Processing Inside the Payment Process: PayPal Anti-Fraud Integration for Automation Payment Fraud References
275 276 280 282 286 287 287
28
More Money: Security, Technical, and Legal Issues PCI-DSS and Security Account Security, Virtual Items, and Real Money Money Laundering and Illegal Payments Money Laundering: Legal Issues References
288 289 289 290 291 293
29
Identity, Anonymity, and Privacy The State of Identity and Anonymity The Registration Problem and Identity Management Systems Age Verification Usage Controls and Game Addiction Account Compromise, Identity Theft, and Privacy Legal Requirements for Privacy Protection References
294 295 296 302 304 306 308 310
30
Protecting Kids from Pedophiles, Stalkers, Cyberbullies, and Marketeers Dealing with Cyberbullies, Pedophiles, and Stalkers Kids’ Communications, Parental Controls, and Monitoring COPPA Children and Identity Child Pornography References
313 315 316 319 320 321 322
Dancing with Gambling: Skill Games, Contests, Promotions, and Gambling Again What Is Gambling and What Is Not Accidental Casinos Skill Games Miscellaneous Security Issues Legal Considerations References
324 325 326 327 328 329 333
31
xiv
Contents
32
Denial of Service, Disasters, Reliability, Availability, and Architecture What Can Go Wrong, Will Go Wrong Denial of Service Scalability and Availability Sample Game Operations Architecture Disasters and Disaster Recovery Contingency Planning References
335 335 336 339 340 342 342 343
33
Scams and Law Enforcement Scams in Games Game Scams Law Enforcement Facilities Requirements: Potential Unexpected Laws and Regulations References
344 345 347 348 349 350
34
Operations, Incidents, and Incident Response Secure Operations Active Measures Incidents and Incident Response Public Relations and the Perception of Security References
351 352 354 354 356 358
35
Terrorists Virtual Terrorism Online Tools for the Modern Terrorist References
359 359 360 363
36
Practical Protection “We Have Met the Enemy and He Is Us” The Business of Game Protection In Closing References
364 364 367 370 370
A
Selected Game Security Incidents
371
B
Glossary
379
Index
385
Introduction
his book is intended to infect its readers with an interest and concern for game protection. My goal is not to preach to the ”security converted,” but to convince game designers, developers, programmers, managers, marketeers, and artists that they should care about the security of their games and give them confidence that there are ways to secure their games.
T
Asian hackers hack for money, not glory. They do not share their hacks, but sell them and do not seem to be as sophisticated as those in the US and elsewhere who target services in the US. —Whon Namkoong, CEO, NHN USA, Casual Game Conference 2007 Designers ask, “How can I make my game fun?” Executives ask, “How will this game make money?” Both questions have a security component: How can someone undermine my game’s play? How could someone play and not pay? What could undermine the success and potential of this game? Game protection is about answering these questions. Ignoring them can ruin the game and cost its creators their business. Ideally, this book will also be useful for IT security and game security professionals. There is a lot of game security information scattered about on the Internet and in various press releases and magazine articles. This book brings this information together in one place. When I started discussing game security, a number of industry professionals told me that the game industry needed its “Pearl Harbor” to bring security to the fore. Although there hasn’t been a single, spectacular and devastating attack, there is an ongoing guerrilla war that distracts the industry from its primary goal—to build great games. As a longtime security professional, I have found game security problems quite fascinating.
xv
xvi
Introduction
Even on a bad day, traditional IT security for business is relatively straightforward. There are only a limited number of things that can happen—money changes hands, maybe with a third party involved via escrow; assets move through a workflow process; and decisions need approval. Very rarely does IT security get deeply entwined into the unique aspects of a business. Not so with computer games. Even a simple card game has more complicated interactions than many business processes—information is concealed and shared, cards must be dealt fairly, wagers made and resolved—and most games are much, much more complicated. Customers are often the adversaries: exploiting game mechanics, stealing game assets, and hacking high scores and achievements. Games can have a wide range of rules, systems, and transactions limited solely by the imagination of the game developers, the skills of its programmers, and the strategies of its executives. Today, games face longstanding challenges from piracy and cheating with the new additions of protecting children and privacy. The list goes on and on and on. Plus, you still have all of the traditional IT concerns, including money, authentication, encryption, and so forth. Protecting games is fascinating, fun …and a whole lot of work.
K NOW Y OUR F OE The game industry is in a tremendous cycle of innovation with new games and game business models emerging. Participation is expanding beyond the industry’s traditional audience of teenage boys into a market that includes everyone from kids to mom, dad, and even seniors. The bad guys are following right along. I began my security career at the National Security Agency working, mostly, on Nuclear Command and Control systems. Our adversary was the USSR—a highly motivated, skilled, well-funded, committed foe who would do whatever necessary to defeat us. Instead of the KGB’s staff and budget, game hackers and cheaters tap a global pool of talent who will happily attack a game for free with their only reward being pride at being the one who breaks the latest title: a serious foe to be taken seriously. Even worse, criminals have learned that games are a lucrative target. A stolen World of Warcraft account is worth more than $10, whereas a stolen credit card number can be had for as little as $1.50. The game industry groups estimate that piracy costs billions of dollars a year.
Introduction
xvii
Viruses, worms, and phishing scams aren’t just being created for fun. IT security threats are now a major criminal problem. Hackers don’t write viruses just to infect as many computers as possible, they write highly targeted worms that sniff game account passwords or loot online poker accounts.
S TRUCTURE
AND
C ONTENT
Most security books are structured around technologies or solutions: encryption, firewalls, digital signatures, and so on. Because the subject of this book is protecting games, I have organized it around the topics that game developers care about including—piracy, cheating, tournament hacking, gold farming, protecting children, and protecting identity. Many attacks on games and security methods use common underlying techniques and so there is some redundancy of exposition. For example, memory editors are useful for piracy and cheating, whereas challenge/response protocols are useful to protect high scores and remotely authenticate software. Interestingly, traditional security techniques such as encryption and digital signatures are much less effective for protecting games because most of our attention is focused on insider attackers who have access to the platform and software and therefore can often access cryptographic keys or circumvent digital signature functions. Cryptography still has an important part to play in protecting games. However, because this is text is targeted at general readers, I do not spend much time explaining the details of the cryptographic protocols I discuss. There are plenty of books on these topics for interested readers. I try to draw example games from the entirety of the industry—everything from gambling and skill games to advergames, casual games, subscription MMOs, free-to-play games, and first person shooters. Occasionally, I will cite examples from traditional (and not so traditional) board and card games, as it is often easier to understand the actual game mechanisms when there are no fancy graphics or animations. There are numerous specific security incidents cited throughout the book, drawn from fairly credible press or public sources. The actual facts of the incidents are often unknown, as game companies, like most other businesses, are not in a hurry to share the details of their security problems. Often I am guessing as to what the underlying problem is and what a plausible solution could be, based on my experience. When I have been given official knowledge of game security problems, I am almost always constrained by a non-disclosure agreement. The specific security incidents discussed are not an indictment of any individual, developer, or publisher, and certainly not an endorsement of any hacker.
xviii
Introduction
In most cases, there is no way to verify that the descriptions or problems are completely accurate. Rather, the incidents should be considered examples of the types of problems that games and game developers face. Many of the countermeasures that I discuss are non-technical. I am a big believer in trying to find easy ways to avoid problems rather than always solving problems with a technical fix. If possible, I try to include multiple solutions since your game and your environment may be far different than my examples. If nothing else, I want to show that protecting games is not purely, or even primarily, a technical problem. I do include some pseudo-code. It isn’t C or Java or Python, but simply an efficient way to describe various algorithms, protocols, and processes.
A TTACK T OOLS
AND
T ECHNIQUES
I discuss attack tools and techniques throughout the book. If possible, I try to keep the discussion at a generic level and not give sufficient information to implement a specific attack on any specific game or product. I do mention several widely known tools for hacking games. This is not an endorsement of these products, confirmation of their functionality, or a recommendation of any kind. Anyone who considers using such attack tools should do so with great caution. Criminals delight in including key-loggers, spyware, adware, and an abundance of other malicious code with installation packages for hacking tools. Even compiling these tools from source code can be risky—are you really going to examine every line of code and every included library?
O NWARD This book is the product of over seven years of tracking and analysis of game security issues, the last three of them covered in my blog, PlayNoEvil (http://www. playnoevil.com/). My hope is that I convey some of the excitement that I feel when a new game problem comes along... and, even better, my satisfaction when I see or create a solution. The game industry is in the midst of an amazing transformation and I believe that protecting games will be critical to the success of that transformation. Steven B. Davis
October, 2008
Part
I
The Protection Game
In this part, you’ll find the following topics: Chapter 1, “Game Security Overview” Chapter 2, “Thinking Game Protection”
1
1
Game Security Overview
hy should we worry about game security? Who should worry about game security? What exactly is game security? How much should we worry about game security?
W
Welcome to the “security game.”
Everybody plays the security game. You play whether you want to or not. You are playing the security game when you build or operate a game: Your customers want to play for free, always win, say what they want, and do what they want to whomever they want. And the Internet only makes this worse. Your players can come from any country. Misrepresent their identity. Upload and download your games (paid for or not) to an audience of millions or billions. However, you want to make money (usually), players want other players to play fairly (whether or not they do so themselves), treat them well, and protect their children. And, of course, there is one kind of help you usually don’t want: the government. Game violence, addiction, privacy, obscenity, pedophiles, gambling, marketing, terrorists, hackers, criminals—all sorts of issues can get you on the government’s radar. Finally, you have traditional IT and ecommerce security issues including data theft and information disclosure, disaster recovery, and, when things do go wrong (and they will), incident response. I’ve been told security is the game publisher’s problem; I’ve been told it is “a technical problem;” and I’ve even been told that it is no problem at all or to wait for the game industry’s “Pearl Harbor.”
2
Chapter 1 Game Security Overview
3
W HAT I S G AME S ECURITY ? Game security is two things: First, it is the dark side of your game. It includes all the problems that you don’t want to think about, but that could ruin your business and your game. Second, and more hopefully, good game security may open up new ways of operating your game or implementing your business that would not be possible otherwise. WHEN SHOULD YOU CARE ABOUT GAME SECURITY? This is simple. If game security does not save you money, enhance your reputation, or make you money, don’t waste your time on it. Security should be held to the same standard as anything else you are doing. A nice thing about security in the game industry (and elsewhere) is that it is often quite cheap to address at the beginning of a project. Security can be horribly expensive or just unsolvable late in the development process or after the game is running. Security and quality go hand in hand. In fact, many security defects are really quality defects. WHO SHOULD WORRY ABOUT GAME SECURITY? Everyone. You will be able to avoid or solve most of your security problems just by being aware of them and considering the possibility of things going wrong while you work. Security is not the responsibility of the security guy (or gal). Security staff is there to focus on security just as testers focus on testing, designers focus on design, and marketers focus on marketing. Hopefully, they bring domain expertise to the subject, but, at the end of the day, everything needs to be balanced (the business model, the game design, the art, the budget, testing, and security). In general, good data on security incidents is pretty scarce. People don’t like to admit their problems unless they have to. Without California’s Data Disclosure1 law, it is unlikely that any of us in the US would hear about the numerous compromises of our personal data. Security problems can lead to real changes in consumer behavior. According to a survey by Unisys of 8,000 individuals, 45 percent stated that they would change financial institutions because of security problems 2. The game industry faces unique challenges in this regard because players see security problems that affect both themselves and others. Security problems with most businesses are only visible to the individuals involved. Even in a publicly traded company, security problems are buried in overhead expenses. Game security problems are noticed by everyone. Even single-player games are social. Players share results and achievements. Once you move to multi-player games, even something as simple as a shared high score list creates intense attention to perceived cheating. Thanks to the Internet,
4
Protecting Games: A Security Handbook for Game Developers and Publishers
problems with games get broadly distributed very quickly and can cause irreparable harm to the game business. Traditional criminals do their work in the dark. Attacking games can be a true ego trip spurring game hackers even without any financial reward: Attackers have the attention of thousands or millions of fellow players. Of all the articles that I’ve written on my blog, PlayNoEvil (http://www. playnoevil.com/), the long-term, number one page view is an article I wrote about cheating at Flash games written in early 2007 (currently, the leading contender is an article on hacking children’s games). Many of the comments I receive are requests for help cheating in the various games I discuss! Consumers care about security. In 2005, a survey of 150,000 Chinese online game players found that “no game hacking and cheating” was the Number 2 issue for choosing a game to play (at 11.02 percent), just behind graphics and audio content. It also found that “game cheating and hacking destroyed game” was the Number 1 reason for leaving a game (18.5 percent) with “game security” itself at Number 9 (5.85 percent)3. In the US, Intel did a small survey of 226 gamers focused on cheating and found that 71% were either extremely concerned (23 percent) or somewhat concerned (48 percent) 4. Cheating problems are of such concern to game companies that they regularly delete related discussions from their online forums. Popular concern with game addiction has led to actions to restrict the number of hours consumers can play in China and elsewhere 5. Although consumers care more about cheating and excessive game play, piracy is the number one concern for many traditional computer game companies. The Entertainment Software Association (ESA) estimates that piracy costs the U.S. game industry $3 billion per year 6. Another disturbing fact is that games, particularly online games, are increasingly the targets of criminals. In June 2008, Fortinet found that 13 percent of Asian malware (malicious programs such as worms and viruses) targeted games 7. The growth of online gaming has made game account theft lucrative. Criminals use key-loggers (programs that extract keystrokes from a computer and send them to a remote location) to steal players’ usernames and passwords to empty player game accounts and sell the contents to others. The global nature of the game industry makes legal remedies virtually futile. Blizzard, the operator of the hugely popular online game World of Warcraft, has gone so far as to start selling a low-cost authentication token8—a technology previously reserved for serious consumer applications like bank and stock trading accounts as well as within corporations and governments. The problem is getting worse. Hackers are following the money and there is easy money in attacking games. In the early days of the online gambling industry, hackers attacked an online casino running software from Cryptologic Inc. The company quickly shut the servers down, but during those short couple of hours, everyone playing craps and video slots won every game, costing the company $1.9 million 9.
Chapter 1 Game Security Overview
5
Gaming is no longer a niche; it is a major form of global entertainment. Everyone is getting in on the act. Ordinary companies are incorporating games and contests into their marketing campaigns. Deloitte Touche Tohmatsu found in a 2008 survey of Dutch advergame sites that over 90 percent of the games are vulnerable and over 50 percent are, in fact, attacked 10. Companies are tying cash and prizes to these games, making them targets and turning what could be a marketing bonanza into a public relations nightmare. THE GAME SECURITY CHALLENGE The challenge of game security is that you, the game creator, have to play by the rules. You can’t break laws; you have limited time and a perpetually squeezed budget; and you have to keep your customers safe—all while providing an entertaining experience. Your foes are constrained only by your efforts. They know no boundaries, and may attack you simply because they can. Let’s see if we can win.
R EFERENCES 1. California (2002), “SB 1386,” http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_ bill_20020926_chaptered.html 2. W. Eazel (2005), “Majority of World Worried about Internet Fraud,” via http://playnoevil.com/ serendipity/index.php?/archives/144-Bad-Security-Makes-Consumers-Change-Online-Behavior-GoodDemographics-Metrics.html (original link http://www.scmagazine.com/us/news/article/530336/?n=us) 3. PlayNoEvil (2006), “Game Security Major Issue for Online Gamers in China,” http://playnoevil.com/serendipity/index.php?/archives/719-Game-Security-Major-Issue-for-OnlineGamers-in-China.html 4. Intel (2006), “Intel Fair Online Gaming Study” 5. China Daily (2007), “China Clamps Down on Teenage Internet Gaming,” http://www.chinadaily.com.cn/china/2007-07/17/content_5438062.htm 6. ESA (2007), “Video Game Industry Applauds Game Pirate’s Sentence,” http://www.theesa.com/ newsroom/release_archives_detail.asp?releaseID=20 7. Fortinet (2008), “The State of Malware: June 2008 Edition,” http://www.fortiguardcenter.com/reports/ roundup_jun_2008.html 8. Blizzard (2008), “Blizzard Authenticator Offers Enhanced Security for World of Warcraft Accounts,” http://eu.blizzard.com/en/press/080626-ba.html 9. B. Warner (2001), “Hacker’s Heaven: Online Gambling,” http://www.cbsnews.com/stories/2001/09/10/ tech/main310567.shtml 10. Deloitte (2008), “Advergames op Grote Schaal Gehackt,” http://www.deloitte.com/dtt/press_release/ 0,1014,sid%253D13354%2526cid%253D202819,00.html (English language version at http://playnoevil.com/serendipity/index.php?/archives/2107-SeriousAdvergame-Hacking-Problems-Deloitte-Touche-Tohmatsu-Netherlands-Survey-Findings.html)
2
Thinking Game Protection
y first impulse when I began this project was to use the word “security” in the title. After all, we usually talk about IT security: When I started in the field in the mid-1980s at U.S. National Security Agency (NSA), I worked in communications security (COMSEC) and computer security (COMPUSEC) and later information security (INFOSEC). There was also Operations Security (OPSEC), transmission security (TRANSEC), and a whole bunch of other SECs.
M
The problem with the word “security” is that it is a bit of a lie. You can never be completely secure (and every security person will tell you this). Security is an ideal, like truth, beauty, and art. This linguistic trap was articulated in one of the few really good books in the field that I have found: Information Protection and Other Unnatural Acts by Harry Demaio1, sadly, long out of print. Protection captures our endeavor much more accurately than security. We are in the business of protecting games, because we know that we can’t fully secure them. We face the same problem everyone else does—protection fails, sometimes with spectacular consequences. When we think about protection, we are already thinking in economic terms—“how much protection is enough?”—rather than in absolutes. There is power in imperfection. My goal in this section and throughout this book is to change how you think, not about game security problems, but about game protection and how to achieve it. This section does not address the specific issues of piracy, cheating, or any of the other numerous challenges that drive game developers to distraction. Rather, it gives you a framework you can use to think about protecting your games in the face of these threats, or at least how to protect your games “well enough.” Game developers and publishers often seem a bit fatalistic about security. There seems to be a tendency to give up and simply accept the problems. Or, conversely, developers and publishers seek some magic bullet—a single product that will solve their problems with one purchase; preferably bought at the end of the development process from someone else’s budget.
6
Chapter 2 Thinking Game Protection
7
This violates my first security principle: Security Principle 1: Anything that is easy to add is easy to remove. Many anti-piracy solutions such as digital rights management (DRM), which is discussed in Chapter 6, repeatedly demonstrate this problem. The notion of “layers” is used when discussing security, but the term is widely misunderstood. It is common to talk about a “security layer” or about “security services.” Tools like encryption, key management, firewalls, and intrusion detection are put into nice little architectural blocks to be called on when needed and are called security layers or services. Nothing could be further from the truth. Properly speaking, one should talk about “layered security.” When we are in the world of protection, we understand that all our security tools are far from perfect. The art and engineering of well-protected systems comes from combining multiple, interlocking security techniques into a powerful whole. Rather than building a security chain that is only as strong as its weakest link, you need to create a security mesh of independent elements that is much stronger than any individual links and will continue to operate even if a single tool fails. Effective protection requires weaving security throughout your application or business. Some of your protection tools may not even be security techniques, but simply carefully chosen parts of your business or technical strategy.
I NDEPENDENCE In 1990, Clifford Stoll wrote perhaps the first true computer security caper story The Cuckoo’s Egg 2. It was even made into a NOVA special. Dr. Stoll was an astronomer who, unable to get a job doing astronomy, worked at Lawrence Berkeley National Lab as a system administrator. His boss asked him to investigate a $0.75 discrepancy between an old, custom computer accounting system and the standard UNIX one. This investigation led to an international spy ring, the FBI, CIA, and all sorts of other entertaining things. It’s a great book or video. The most important lesson of the story seems never to have been learned and is my second security principle: Security Principle 2: Effective security comes from weaving together independent systems.
8
Protecting Games: A Security Handbook for Game Developers and Publishers
The only reason that this case came to light was because someone noticed the accounting discrepancy between the old accounting system and the standard one. The hackers knew enough about the standard UNIX operating system to attack the accounting system and hide their tracks. They did not know about the strange old Berkeley accounting system. If they had, they would likely have beaten it, as it was running on the same computer. To show how bad the problem is, many computer security references use the term “audit trails” routinely. The term “audit trail” clearly implies all sorts of wonderful independence and security. Unfortunately, these tools are not audit trails at all, only accounting records. There is only one system involved that is generating the report, not two independent ones. When I talk about independence, I am really talking about statistical independence: Entities are independent of each other if events or actions related to one do not affect the other3. The challenge, of course, is how to build independence into your system—without breaking the bank. Independence is discussed much more extensively in the field of safety engineering by those who are building reliable and highly available systems than it is as a security principle. Passenger jets have multiple engines so that the plane will be able to fly when one (and sometimes more than one) engine fails. The Space Shuttle has five flight computers that vote to avoid undetected failures. We can actually achieve the goals of independence in multiple ways. As described, we can have multiple entities that independently generate identical results (we hope). We can also have systems that generate multiple results that are independent of each other—a log of game wins, losses, and wagers compared to a financial log of deposits, transfers, and payments. One of the areas where games have an advantage over other entertainment media is that they are naturally highly transactional. While I may buy and watch a movie, for many games I can post high scores, play with other people, and otherwise repeatedly interact. These numerous interactions can be used together to prevent and detect piracy, discourage griefing, and deter cheating.
L AZY , C HEAP ,
OR
S TUPID
I’ve long enjoyed the engineering truism “good, fast, or cheap; choose two.” In other words, if you want something good and fast, it won’t be cheap and if you want something fast and cheap, it won’t be good. I think the security field needed something similar, so here’s my stab at it: Lazy, cheap, or stupid: Any one will get you. … or some such.
Chapter 2 Thinking Game Protection
YOU CAN’T COUNT ON TRUST “Trust” gets waved around a lot in the world of IT security (and, recently, in discussions about fighting piracy). When I started out in the security field, a big focus was on trusted operating systems and since then we’ve moved on to trusted platform modules. The whole idea of these products is that by building a whole lot of “security” (whatever that means), we can “trust” the “trusted” thingy and be secure. The goal is noble, but rather naïve. First of all, there is no objective definition of security. The security requirements for another business can be very different from yours even when you both are using the exact same applications and platforms. The game industry is not the same as the military; which is not the same as a dating service or an online auction service. Second, most real security problems occur at the application and business operations levels, completely independent of the underlying platform. Spell checkers may be able to determine whether a word is spelled correctly, but they can’t tell if you’ve chosen the wrong word (a problem that I’ve found often while editing this book). If you have incorrectly defined or configured your ordering process, an unauthorized individual may be able to furnish his house at your expense. A trusted platform will do nothing to solve malicious use of a legitimate application. Third, the interaction of arbitrary applications on top of a trusted platform can no longer be considered trustworthy. As I noted, when my career began in the 1980s, trusted operating systems were all the rage. What we found was that once we started adding applications to these platforms, our security analysts were able to undermine the system by attacking the applications directly. Currently, the focus is on hardening standard operating systems—basically getting rid of the gratuitous “stuff’” that can cause some of the worst problems. This includes removing unnecessary applications such as editors and compilers as well as unneeded network services, analysis tools, and many of the other products that are provided as part of a standard operating system distribution. Fourth, what if the trusted platform fails? It happens. Even if you wanted to, could you risk your business on the promises of a third party? Once upon a time I worked on a government project with a very clever anti-tamper piece of hardware. Our security team had to plan for the scenario where we would lose one of these devices (which we had spent a lot of money making tamper-resistant). Our final assessment was that we had to operate the system as if we had no tamper protection. That, if we ever lost control of one of our anti-tamper boxes, we still had to assume it had been compromised and implement our procedures to recover our security status—even if it was returned “intact.” Trust is not enough. All of this is not to say that using trusted systems is not good practice. However, it’s best to use these products as tools and part of an overall security system plan, not as the hard kernel of security.
9
10
Protecting Games: A Security Handbook for Game Developers and Publishers
To an outsider, security often looks like black magic. The field is full of magic words: rootkits, worms, viruses, hackers, penetration tests, amazing sagas, embarrassing failures, and spectacular capers. Scratch the surface, however, and you’ll find that almost all security problems arise from one or more basic human failings: laziness, being cheap, or stupidity. These are security’s three deadly sins, so let’s look at each in more detail. Laziness
There is depth and even some real complexity as you learn the art of security, but the reason many security experts can appear to work miracles and divine problems after taking only a cursory look at an organization, system, or project comes from knowing the following: Security is not a primary concern of most people. When you don’t care about something, you tend to take shortcuts and cut corners. People are wonderfully consistent, especially in how they cut corners. Of course, things aren’t quite this simple. You need to have a good deal of knowledge of development practices, programming, system design, project management, business planning, and “human nature” to pull off these “miraculous” insights. Once someone describes a situation for me, the first thing I think about is “what would be the easiest way to build this system?” and, because the easiest way to build something is rarely the right way, “what is the easiest way to exploit the poorly built system?”. Habits are wonderful for predicting future disasters. In the game industry, the biggest cheating problems come from the fact that most developers start by programming a single-player game and then add multi-player features. Even though everyone knows and complains about piracy, they don’t actually seem to start planning a strategy against it until the game is about to launch. The game industry is not alone. I’ve been brought in on classified government projects after years of development and many millions of dollars spent, where security only came up because someone noticed that the system needed to be accredited as secure before it was allowed to operate. Being Cheap
Security is never given a decent budget. It is a legitimate problem for planners. Security rarely shows up as a positive revenue line item. It is always portrayed as a cost with nebulous benefits at best. Interestingly, one of the things I like best about the game industry is that its security problems are so closely tied to its core business.
Chapter 2 Thinking Game Protection
11
In many other industries, it is very hard to argue whether one firewall is better than another or if one should invest in an intrusion detection system or not. This is not true for the games industry. Piracy costs sales. As a security analyst, I can make estimates of those costs and the benefits of my proposed anti-piracy strategy and present a reasonable business case to management and ask for a budget. Cheating has not been seen to be a major problem for traditional, single-player games that are sold shrink-wrapped at a retailer. However, as we move towards multi-player and online games and the industry transforms from a product-sales business to a service business, cheating becomes much more important. Cheating and game integrity has always been critically important for skill games, contests, and the gambling side of the industry. Similarly, payment processing, identity, protecting children, and the other topics that I will discuss are not theoretical problems. They can cost your business money or, even worse, give you the opportunity to deal with irate customers or governments. Stupidity (Ignorance Is Bliss, for a While)
Developers in every industry are rightfully proud of their accomplishments and eager to hurry their products to market. After a long slog of development and hopefully some testing, most developers are rather confident about their product’s ability to work well. In physics, Work equals Force times Distance. If you don’t go anywhere, you haven’t done any Work. The remorseless calculus of security doesn’t care how hard you worked or who you are. Hackers just care about what you have actually done. When I made my first security presentation to the game industry in 2001, developers shared horror stories of players hacking Flash games just to get high scores on their individual sites. Eight years later, players are still hacking Flash games to get high scores to win prizes and lots of cash… and causing some large companies serious grief in the process. Gold farming isn’t a new problem and people have been creating bots since the early text MUDs. However, pretty much every modern MMO has continued to be plagued by these attacks. Now, instead of a couple of guys running a game on a university server, gold farmers are earning millions, if not billions of dollars, and chewing up entire customer support teams. Major game publishers are spending untold dollars suing bot builder companies knowing full well that another will spring up, probably in a jurisdiction beyond the effective reach of their lawyers. All of the security issues discussed in this book are fairly well known to professionals in the industry as well as interested consumers and even more interested hackers and criminals. The best way to avoid security problems is to simply acknowledge them at the start of a project and address them early in the development process. Or, at the very least, ignore them consciously. It is simply stupid to do otherwise.
12
Protecting Games: A Security Handbook for Game Developers and Publishers
The good news is that solving many of your security problems may be as simple as adding “remember security” to your project’s PowerPoint templates.
T HREATS , V ULNERABILITIES ,
AND
R ISK
The game industry knows who its attackers are: Pirates steal games, cheaters win unfairly, griefers and gold farmers are just a pain for everyone. The IT security literature talks a lot about vulnerabilities, threats, and risks. The language of the industry and its processes in this regard are a bit confusing. The real question is: What, if anything, can a security analyst tell you that will cause you to change how you operate or spend money to fix something? While people may talk, and talk about security requirements, in practice, these requirements are undermined when there is money and effort required. This is frustrating for security analysts, as they spend a lot of time hunting for vulnerabilities, writing them up, and presenting them to management only to be told “we’ll accept the risk.” The problem is, management might not be right about accepting the risk, but the basis of their decision seems to have little to do with the described vulnerability, but rather with rhetoric. Risk is the nemesis of protection. Risk is where people get into the most trouble. It is basically a qualitative assessment of how likely someone will do something (bad) and the probability that he or she will succeed. Risk also captures the consequences, usually in financial terms, of an incident. On paper, this doesn’t sound like a bad concept at all. The problem is with its use. Risk assessments, vulnerability assessments, and threat assessments seem to all boil down to a long questionnaire and Excel spreadsheet that reduces risk to a number. Often commercial products will generate some “risk score” number, which is then used to determine whether you are secure enough. There are three important problems with this approach. First, the weighting schemes that are used to compare one attack or vulnerability to another are often hidden and reflect the biases of the tool maker (or consultant) rather than the priorities of the client. Second, some risks are not commeasurable, or rather they shouldn’t be: It makes little or no sense to combine security issues related to identity theft with those for denial of service. Third, the tools rarely seem to support business decisions. Instead of giving a final numeric score, these tools would be
Chapter 2 Thinking Game Protection
13
more useful for determining relative residual risk between programmatic choices: Should you choose Option A with Budget B, which yields Risk Profile C or choose Option D with Budget E, which yields Risk Profile F? Making assumptions about your adversary is quite dangerous. People tend to “mirror image” their foes. They assume that the enemy has the same propensity for risk and values as they do. The game industry is particularly vulnerable to this problem: Game pirates put a radically different value on games than a publisher does. In practice, they face little to no risk for the actual act of breaking a game’s security and they seem to have the time and patience to effectively defeat many security systems. Gold farming is, allegedly, a billion dollar industry employing tens of thousands of individuals worldwide. Aggressively exploiting an MMO’s economy is big business. For the game operator, controlling gold farming is often a low priority. It falls somewhere between customer support and bug hunting. The operator’s main priority is to keep the servers running and the players playing and paying.
B EYOND P ROTECT , D ETECT , R EACT Protect, detect, react. It has become something of a mantra in the traditional IT security community. First, you protect your information from attack. If they successfully attack you, you detect the attack and react appropriately. This iron triangle of IT security probably arose out of a military perspective: Attack, defend, and counterattack. Protect, detect, react is simple, wonderful, and far from complete, even in a military context. There are at least seven additional basic security strategies: Recover—Reconstitute the system to a secure state (or secure as possible). Interestingly, this strategy is critical for military systems as well. For example, if an encryption key is compromised, you create and distribute a new key and remove the old one. If security equipment is lost, it is simply locked out of the network. It is important to note that this does not reestablish the security of any data that has already been compromised. In a military setting, the compromised data may no longer have any value. The message “Go to War” is not a secret for all that long. Unfortunately for game developers, if a digital rights management (DRM) system does not restore the security of the lost game, it restores the security for future games.
14
Protecting Games: A Security Handbook for Game Developers and Publishers
Avoid—There are some fights that are not worth fighting, battles not worth winning, and problems that are “too hard.” For games, often we can change the game’s business model and design as well as its code as a way to thwart attackers. Online games that use the “free-to-play” business model where everything is purchased from the game operator are essentially immune to gold farming. Botting, the use of automated programs that play on a player’s behalf, is a hard problem, in many cases. Game developers might consider changing the game design to make botting impractical or change the game rules to make the benefits of botting negligible. An Indian game operator used this tactic for an MMO that he had licensed that was known to have problems with bots4. The game operator added direct item and currency sales to the subscription game, thereby reducing the benefits of botting. Ignore—Some problems are just not that bad. It is certainly fair to choose to ignore them, especially if the cost of addressing the problem is high. Many traditional computer game developers often ignore cheating problems with their multi-player games, as the entire multi-player feature is often considered just another option added to the core, single-player experience. Delegate—Sometimes you can transfer a problem onto someone else. If you are able to do this, why not let someone else deal with the problem? The delegation strategy can be particularly useful to transfer liability. There are certain third-party companies that are legally authorized to accept liability for protecting children’s identity information and limiting marketing under COPPA. This may be a more effective, and less expensive, option than complying with COPPA internally. I would argue that many in the entertainment industry are trying to delegate their piracy problem to the government. Department of Justice lawyers and FBI and Customs agents are almost free for the industry; they cost just a bit of lobbying. Insure—If you can’t eliminate a problem, why not buy insurance? It works for car accidents, after all. Unfortunately, this option is rarely available for IT security or game security problems today. It is probably the great unmet security opportunity. Watch for companies who offer security services to see if they also offer liability protection. Many work like your home security system; their insurance basically consists of a refund on your security system equipment purchase (at best) or a refund of a month’s fees. In the IT security area I have seen identity theft insurance that falls in this category. Reward—Why focus on “sticks” when you can offer “carrots” to those who might otherwise harm your product or business? The key, of course, is that the reward has to appear significant to your customers while being very costeffective to provide. The “good driver discount” for auto insurance and airlines’ frequent flier programs are familiar examples.
Chapter 2 Thinking Game Protection
15
Deter—The threat of punishment works as long as the possibility of being caught is high and the punishment is substantial. Law enforcement, peacetime armies, and nuclear war all rely on deterrence. Compelling good behavior is often much more expensive than relying on deterrence. Also, systems that attempt to compel goodness often are less effective at detecting their own failures. There is a bit more that can be added to the original mantra: Protect—As noted while discussing “Recover,” you actually need to know what you are protecting. I have seen many people confuse using encryption with “security” and hash functions with “integrity.” Game developers have relied on a browser’s encryption function to protect high scores from manipulation. Unfortunately, high-score cheaters are the actual people playing the game and thus have access to the score before it is encrypted. Similarly, several major commercial games have used hash functions to “sign” data, not realizing that the data hash can simply be replaced with one for the hacker’s preferred game configuration. Detect—Detecting problems can be tricky. Game piracy without network connections is essentially impossible to quantify, as there is no direct feedback. If the number of validated, registered licenses is less than the royalties for a game developer, it could be an interesting question whether the game has a piracy problem or an issue with the publisher withholding royalties. React—Ban, ban, ban. Banning pretty much seems the only strategy used to punish gaming wrongdoers, whether they are pirates or cheaters or whatever. For a game company, banning is pretty extreme and tends to deprive the company of revenue, so it is a fair question as to whether banning always makes good business sense. A complete security system is built by creatively combining these strategies to form a coherent whole. For all of the game industry’s complaining about piracy, particularly on the PC platform, there doesn’t seem to be much thought put into managing piracy during the game development and publication process.
A SYMMETRIC W ARFARE Security is about managing uncertainty. You never know for sure when and where you are going to be attacked, but you are pretty sure that it is going to happen sometime. Also, security is a support function to your real goal of providing a great game and running a successful business. It is not the end, but a means. Good protection has got to be lean.
16
Protecting Games: A Security Handbook for Game Developers and Publishers
Protection is a battle between you and your foe. Both of you have time and resources to allocate to the fight. The only advantage you have as the defender is you get to set some of the rules and choose the battlefield. As noted previously, one the biggest problems that you face is asymmetric values. Your foe may be far more interested in attacking your game than you are in defending it. Also, you are obliged to defend the entire game and succeed everywhere, while your adversary only has to find one hole in your armor and you are lost. Sadly, a clear example of this asymmetry is the state of airport security in the US since 9/11. We are spending billions of dollars to try to defend every airplane against all potential hijackers. And, as numerous incidents have shown, there are always weaknesses in the system. A terrorist individual or group has to find only one vulnerability that he or she can successfully exploit to cause serious trouble. Or, these attackers can attack somewhere else where we are not defending at all. Fortunately, games are much more constrained systems than national defense. However, they do both face highly motivated adversaries. Game developers and publishers have much more control than Homeland Security does over the systems that hackers want to attack. Security Principle 3: Make your adversary work a lot harder than you. Defensive methods should be chosen for their low cost and coverage of a wide range of threats. For game cheating, the most common strategy is to include some sort of “cheat detection” tool with the game. The major anti-cheating products in the industry are Blizzard’s Warden, Valve’s VAC, Even Balance’s PunkBuster, nProtect’s GameGuard, and AhnLab’s HackShield. They are all signature-based systems, similar to anti-virus products that use signatures of the individual versions of malicious software to detect attacks. The cost of this system is that it must be constantly updated5 to keep up with the latest cheats and, just as the security industry has found with viruses, hackers are very good at attacking anti-virus tools directly as well as hiding themselves from the anti-virus tools and altering their malicious software’s signatures6. While the work of creating and distributing an individual signature is not significant, there is a fair amount of effort to find hacks, understand them, and build a reasonably stable signature. It is worth noting that this strategy for detecting hacks depends on cheats being widely used. If there are only a couple of cheaters using a specific technique, the security surveillance system will be unlikely to detect the attack. This is becoming increasingly true for traditional malware, which is now targeted at specific companies or individuals as opposed to the world as a whole 7.
Chapter 2 Thinking Game Protection
17
In MMOs, professional gold farmers are motivated to develop and use internal or limited distribution tools instead of mass-market products. This is also true for the online casino industry: If you have a real, effective cheat that makes you a lot of money, you are not going to sell it to anyone. Once cheating or hacking is a business and not just vandalism, there is no reason to broadcast attacks. One of the real reasons that encryption is such a popular security tool is that it is cheap and easy to implement—whether it is effective or not is a different matter. The most effective security strategy, for games (and anyone else), is to change the system so that there is nothing that can be exploited. You are probably lost if you are constantly hunting for hackers.
P ROCESS , T ESTING , T OOLS ,
AND
T ECHNIQUES
Although “thinking right” about security up front will get you a long way, there are useful tools and tactics to complete the job. Penetration testing gets a lot of visibility as a key security strategy. Penetration testers attempt to break in to a system from the outside, just like an attacker. When they succeed, it is impressive and compelling (if a bit late in the development process). There are three weaknesses to penetration testing: Many of the “revealed” security weaknesses are generic operating system and common application vulnerabilities. This is not to minimize their impact, but there are cheaper and easier ways to find these problems earlier in the development process. Penetration testing is often very time-constrained. As such, penetration testers do not have time to become familiar with the target and so go for the easy, generic attacks. The most damaging flaws are often in the target’s unique business application (or, in this case, game) environment. Finally, you cannot test either security or quality into a system. They need to be built in from the beginning. My preferred security analysis and testing strategy is to run in parallel to development: from concept through implementation and deployment. This has substantial advantages. Design errors can be addressed when they are still just PowerPoint slides and Word documents. Because the security analysis team has full access to the design and code, it is much better able to focus on proactively finding real problems at the source before they get out of control and expensive to correct. Again, security resources are very scarce compared to those of the attackers.
18
Protecting Games: A Security Handbook for Game Developers and Publishers
Although a hacker may need to reverse-engineer your system to attack it, he may also be a former team member or have “dumpster dived” to collect your documentation or even downloaded the source code from your server. There is no benefit to forcing your security team to emulate this phase of the attack. If your only defense is that the hacker does not know your system design, you are dependent on “security by obscurity” as your sole security barrier—and you are in deep trouble. Good security testing tools should be a standard part of the toolbox of every developer and system and network administrator. Similarly, there are numerous software quality and security testing tools that can help avoid memory leaks and other common coding errors. One of the real challenges for security in games and other applications is that you need to build protection in during the development process, but its benefits do not appear until the product or service is operational. This causes a number of annoying, but real, problems. The biggest problem is that most organizations separate their development and operations budgets. Features like protection against attack that are hard to measure during development are easy to drop: They have no consequence until the development team has been paid and moved on to another project. Another issue is that many security failures are largely silent. When your house is robbed or car is stolen, you tend to notice it rather quickly. Code theft, identity theft, and unsecured servers may never be noticed. It is important to build “security instrumentation” into your system to help make both known and potential threats visible. It may be possible at an early stage to at least detect problems that you may not be willing or able to prevent at that time. This will give your live team and operations staff the tools they need to identify and fix the problem later. There has been a rise in active measures to fight hackers, pirates, and cheaters— both within the game industry and outside it. Services like MediaDefender, which actively seeds peer-to-peer networks to disrupt and locate music pirates, can sometimes create more problems than they are worth. The StarForce anti-piracy saga8 and the Sony BMG Rootkit case have become cautionary examples and created objections to almost any form of anti-piracy technology. Even Blizzard’s Warden anti-cheating tool has raised privacy concerns (see Chapter 34). Some of these methods can be quite effective. However, if you are going to implement them, you should consider possible consequences. Some of these tools can cause problems directly, as when MediaDefender targeted a legitimate P2P distribution service9, and some can cause indirect problems. For example, Sony BMG’s Rootkit was used to attack World of Warcraft. The decision to use these active strategies should be made at a senior level. After all, at some point, you may have to defend your active measures strategy to the public in The Washington Post.
Chapter 2 Thinking Game Protection
19
S ECOND G RADER S ECURITY Many people confuse complexity with security. One of the disdainful comments regularly used by those in the security field is “security by obscurity”: the notion that if you make something sufficiently complicated, surely it will be too difficult for an adversary to unravel. This is rarely the case. Usually, the result is that the system is so complicated that it cannot be maintained: Your own team does not understand the system and there are often obscure parts of the design that make it more vulnerable to attack. Or, even more likely, your maintenance staff will come along and “clean up” the design so that they can support it—and completely undermine your “obscurity” efforts. Probably the most important design principle that I learned at NSA was to focus on clean, clear design. Good system engineering and good security engineering go hand-in-hand. Ugly, complicated designs are rarely secure. Any security weaknesses in a well-architected system will stand out like a sore thumb, and usually be reasonably easy to fix. This leads to my next security principle: Security Principle 4: If it’s not simple, it’s not secure. Or, if you can’t explain it to your manager (or a second grader) on one PowerPoint slide, it probably isn’t secure. There are computer scientists and mathematicians who look for ways to “prove” security. They use complicated symbolic languages and systems to create security theorems and then prove them. Fascinating stuff. These techniques are great for PhD candidates and academics, but, I’m fairly confident, totally irrelevant in the real world. Why do I doubt this? Let me briefly don my tattered, ancient mathematical credentials… If you’ve heard of Gödel’s Theorem, made familiar outside of the circles of academia by Douglas Hofstadter’s widely owned but rarely completely read Gödel, Escher, Bach: an Eternal Golden Braid 10, you may recall that Gödel proved the Incompleteness Theorem11. This important work of mathematical logic states that, in short, for any sufficiently complicated system, you can neither prove nor disprove every theorem about it. Gödel also proved undecidability (whether you can decide if something is true or not), and Alan Turing disproved computability. The bottom line of these three theorems is that anything that is even slightly complicated cannot be completely understood and therefore, you cannot really know that it is secure.
20
Protecting Games: A Security Handbook for Game Developers and Publishers
In practical terms this means that the only way to make something really secure is to make it “trivially secure”: The hard part of good security design is to make the system simple. This ends my lofty discussions about security and protection; let’s get to work on protecting your games.
R EFERENCES 1. H. Demaio (1992), Information Protection and Other Unnatural Acts: Every Manager’s Guide to Keeping Vital Computer Data Safe and Sound, Amacom Books, ISBN 0-81445-044-X 2. Cliff Stoll (1990), The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, PocketBooks, ISBN 0-7434-1146-3 3. Wikipedia, “Statistical Independence,” http://en.wikipedia.org/wiki/Statistical_independence 4. D. Sengupta (2007), “It’s Virtual World Out There, All for Hard Moolah,” http://infotech.indiatimes.com/ Its_virtual_world_out_there_all_for_hard_moolah/articleshow/1388388.cms 5. A. Modine (2007), “World of Warcraft Spykit Gets Encrypted,” http://www.theregister.co.uk/2007/11/15/world_of_warcraft_warden_encryption/ 6. R. Lemos (2005), “World of Warcraft Hackers Using Sony BMG Rootkit,” http://www.securityfocus.com/ brief/34 7. S. Gaudin (2005), “Targeted Virus Attacks Replace Sweeping Assaults,” http://www.esecurityplanet.com/ trends/article.php/3554046 8. A. Varney (2006), “StarForce Must Die,” http://www.escapistmagazine.com/articles/view/issues/issue_72/414-StarForce-Must-Die 9. R. Paul (2008), “Revision3 CEO: Blackout Caused by MediaDefender Attack,” http://arstechnica.com/news.ars/post/20080529-revision3-ceo-blackout-caused-by-mediadefenderattack.html 10. D. Hofstadter (1999), Gödel, Escher, Bach: an Eternal Golden Braid, Basic Books, ISBN 978-046502-656-2 11. Wikipedia (2008), “Gödel’s Incompleteness Theorems,” http://en.wikipedia.org/wiki/Incompleteness_theorem
Part
II
Piracy and Used Games
In this part, you’ll find the following topics: Chapter 3, “Overview of Piracy and Used Games” Chapter 4, “The State of Piracy and Anti-Piracy” Chapter 5, “Distribution Piracy” Chapter 6, “DRM, Licensing, Policies, and Region Coding” Chapter 7, “Console Piracy, Used Games, and Pricing” Chapter 8, “Server Piracy” Chapter 9, “Other Strategies, Tactics, and Thoughts” Chapter 10, “Anti-Piracy Bill of Rights” Chapter 11, “The Piracy Tipping Point”
21
3
Overview of Piracy and Used Games
roadband communications and the Internet have transformed piracy from a garage sale nuisance and shady street vendors selling games from the back of a van into a pervasive problem. Virtually any digital media is only a quick Google search and click away online. Of course, the real questions for any business are how much money is this costing and what can one do about it?
B
Piracy is theft. Some may quibble about “software piracy” being copyright infringement; however, the bottom line is that when people don’t pay for a commercial good or service, they are stealing (at least from the seller’s perspective). Open source advocates claim “software wants to be free.” Software does not want to be free. Freeloaders want free software. But, it is also worth looking at other industries where sales revenue is lost. Not just to unauthorized copies, but also to used goods where creators do not earn revenue from the secondary sales. Movies, books, and music have always had some market for used products, but the growth of console games has created a massive used game retail market (PC games are rarely sold used). In the next several chapters, I discuss the various aspects of the piracy problem and used games—the traditional techniques that have been used to fight piracy, and some alternative strategies. Additionally, I address legitimate consumer concerns about anti-piracy measures.
22
4
The State of Piracy and Anti-Piracy
he first questions that should be asked about piracy are “how bad is it?” and “whom does it affect?” There are two completely different ways to measure piracy. The first is based on the estimated number of pirated copies of a game or other work and what those items would cost at retail. This seems to be the preferred model used by the U.S. Business Software Alliance (BSA) and Entertainment Software Association (ESA). These numbers are quite suspect on a number of counts. The second approach is to measure how many actual sales are lost. After all, many people will use something if it is available for free, but have no interest in buying the item.
T
The nature of digital piracy makes it quite difficult to estimate the size of the problem. Downloading files and duplicating disks do not leave easy trails for forensic investigators. An article about casual game piracy claimed a piracy rate of around 92 percent based on attempted connections to the company’s server 1. At least this number came from an actual measurement. A report by China’s government, whose citizens are often a target of anti-piracy rhetoric, noted that based on BSA’s estimates, one quarter of the country’s Gross Domestic Product (GDP) would, or rather should, have been spent on software in 20052. The BSA is not alone in having difficulty with numbers. The Royal Canadian Mounted Police seemingly made up its estimate of 10 to 30 billion Canadian dollars in piracy—a number that apparently went from a bullet on a PowerPoint slide into national policy 3. Australia has moved to challenge a report by copyright holders on the damage from piracy, stating that the numbers needed to be substantiated, especially as they were being used to justify increasingly harsh civil and criminal penalties4.
23
24
Protecting Games: A Security Handbook for Game Developers and Publishers
D ETERMINING
THE
S COPE
OF
P IRACY
Even if we do accept these high piracy rates, the real question for business is how many of those customers would actually have purchased the item. After all, the marginal cost of producing digital items for the publisher is very low, so the sunk material and production costs are often not a major issue. Typically, therefore, there is no real cost to the publisher from these pirates. This is not always the case, as SiN Episode 1, a downloaded game that was distributed via Valve’s Steam service, found when they were overwhelmed with customer support requests by irate “customers” who hadn’t actually purchased the game5! Companies that operate a free online game play service, like Blizzard’s Battle.Net or ArenaNet’s Guild Wars, need to be especially concerned about piracy, because the way they subsidize the online service is through product sales. Several years ago, it was not unusual for Blizzard to announce bans of hundreds of thousands of CD keys, many of them because the game copies were pirated6. Specifically, the players were using counterfeit keys to register the games with the Battle.Net service. One of the powerful advantages of a service like Battle.Net is that it provides information on numbers of pirates (or, at least, unauthorized registration attempts) as well as numbers of legitimate players. It also provides an incentive for players to convert from an illegal copy to a legal one so that they can participate in the online service. Finally, the service provides a means to compare actual sales (and royalties) with numbers of registered players to estimate the success of counterfeit CD key piracy. It might even be able to measure how many pirates purchase legitimate copies once caught. In general, there are few good methods to determine how many pirate game users would actually buy a game. However, the stereotype of gamers (and game pirates) as young and poor is no longer true. Game demographics have shifted to older players who are generally less likely to pirate games. This would seem to imply that sales lost from pirates isn’t significant—older players are likely to buy legitimate copies and younger players would never purchase the game at all. Brad Wardell of Stardock has been quoted7 as saying that game developers need to focus on the actual population of paying customers: “When you make a game for a target market, you have to look at how many people will actually buy your game combined with how much it will cost to make a game for that target market. What good is a large number of users if they’re not going to buy your game? And what good is a market where the minimal commitment to make a game for it is $10 million if the target audience isn’t likely to pay for the game?”
Chapter 4 The State of Piracy and Anti-Piracy
25
“If the target demographic for your game is full of pirates who won’t buy your game, then why support them? That’s one of the things I have a hard time understanding. It’s irrelevant how many people will play your game (if you’re in the business of selling games that is). It’s only relevant how many people are likely to buy your game.” The computer game industry has adopted four major strategies to address piracy: Console-based games Digital rights management/license management Online gaming Prosecutions The dominant anti-piracy strategy by the computer game industry has been to focus game development towards game consoles. (As a side note, the film industry’s move towards Blu-ray from DVD would seem to be an attempt to follow suit.) The general argument has been that control over game hardware will prevent piracy. In fact, the move to consoles has not really stopped piracy and, potentially even worse, it has essentially created the used game market. Used games are a totally legal way for customers to buy games. They provide no revenues to the publisher or developer and may even cost sales of new games by giving wavering customers a chance to “wait a bit” and buy a game for less. (There are some counterarguments, however. The fact that consumers know that they can resell a game means that they may purchase a $50 game knowing that they can sell it for $10 or $20, meaning the effective cost is $30 or $40.) Console piracy is rampant in Asia with modified consoles often publicly sold for a modest $50 premium above a legitimate console8. Nintendo’s very popular DS handheld console has been facing increasing problems from the R4 cartridge9. These console hacks allow players to download games for free or purchase them on the black market for only a couple of dollars. The game industry has not abandoned PC games, but they have stepped up their use of increasingly draconian licensing tools. One product, StarForce, became so unpopular due to its modification of drivers, that popular pressure forced publishers to abandon the tool10. In the music industry, Sony BMG earned the ire of music fans and lawsuits with its secret, automatic installation of a rootkit program when certain music CDs were played on computers11. More recently, several publishers have substantially loosened installation and registration requirements for their games after widespread objections in game blogs and online communities 12.
26
Protecting Games: A Security Handbook for Game Developers and Publishers
Simple economics and widespread piracy of traditional computer games and other software drove game developers in Korea and China to focus on online games. Particularly in Korea, the government’s focus on developing a world-leading telecommunications infrastructure opened the door for sophisticated games played on a server rather than sold at retail. Games operating as a service are inherently more difficult to pirate. Stealing a copy of the player client software is not enough; a pirate server must be set up, operated, and maintained. This makes the pirate server operation much more vulnerable to being detected, located, and shut down by law enforcement. It is worth noting that any break-even analysis should probably be done when the game is “green lighted” and the developer makes an initial estimation of expected sales. The question should perhaps be asked—if this game had an additional $2 million to spend, how could it best increase sales to compensate for the estimated “anti-piracy” expenses? Other security options may make sense and should be considered. After all, the only additional revenues are going to come from additional sales. The Entertainment Software Association, the trade group for most U.S. computer game publishers, claimed that piracy cost the industry $3 billion in sales a year13. They have worked to strengthen penalties and pushed law enforcement to actively pursue individuals and organizations involved in software piracy. When I reviewed ESA’s announcements related to piracy in October, 2006, I found that in the previous 12 months, the ESA and U.S. and Canadian governments had imposed total fines of $36 million and pursued four major cases. This is just over one percent of their own estimates of the pirate market14. Since there has been no claimed reduction in piracy, there should be a question as to whether these prosecutions deter would-be pirates at all.
HOW MUCH IS ANTI-PIRACY WORTH? Piracy is a real problem. It potentially costs the game industry billions of dollars worldwide each year. We can’t wish piracy away, so it seems our only alternative is some sort of anti-piracy product. Just as with our analysis of piracy, we need to consider how much anti-piracy is worth. Should we ignore piracy or fight it? For example, let’s assume that we are developing a traditional PC game. We choose an anti-piracy software provider that has an upfront licensing fee of $100,000 and a royalty of 4 percent per copy sold (of the game’s retail price). Then our actual upfront costs are: Total Upfront Anti-Piracy Costs = $100,000 + Integration Costs
Chapter 4 The State of Piracy and Anti-Piracy
27
Vendors everywhere assert their products have no integration cost. Sometimes, this is true, but usually, there is a cost for integrating any piece of software. At the very least, you need to test it to make sure that the new software doesn’t break your old software. In our example, we’ll say these costs are zero, just as the vendor promised. Let’s assume the game sells for the fairly standard price of $50 and our revenue per copy is $20 (after packaging, marketing, revenues for the retailer, and so on). Then, our net revenue is: Net Revenue = $20 (profit) – $50(.04) ($2 anti-piracy royalty) = $18 However, we may lose some sales because of the anti-piracy tool we use and also incur some additional customer service costs to handle complaints and such. Once again we’ll make a simple assumption that this costs us 2 percent of sales. With a game that sells a respectable 1 million copies, without anti-piracy we’d see: No Anti-Piracy Revenues = $1 million x $20 = $20 Million With Anti-Piracy, our revenues are: Net Anti-Piracy Revenues = $1 million x (98 percent customer base) x $18 – $100,000 = $17,540,000 It is obvious that I am giving no credit for additional sales for the anti-piracy solution. So, how many more sales do we need to earn to break even and recover the costs of our anti-piracy product? The additional profit we need to make up, just to break even is $2,460,000. Increased Anti-Piracy Sales = $2,460,000/$18 = 136,667 additional units Or, around a 14 percent increase in sales is required to compensate for the costs of the anti-piracy product. Suppose, instead, the anti-piracy product had no up-front fee and didn’t cost any sales, incur any customer support issues, or otherwise make life difficult (for the customers or us as the game’s publisher). Our break-even additional revenue number would be $2 million and 111,111 additional sales, just to cover those royalties. The upfront licensing cost has negligible impact on the price; the key driver is royalties. This is simply a break-even analysis. There is inherent risk adding any software or expense to a product. In order to rate the anti-piracy product a success, any publisher should include a margin of error for expected additional sales of perhaps 200,000 or 20 percent.
28
Protecting Games: A Security Handbook for Game Developers and Publishers
Peer-to-peer piracy is an even harder problem, because there is really no criminal enterprise to target. There are just individuals looking for a free game or song or movie. The main business advantage of using prosecutions as an anti-piracy strategy is that private companies can push the costs onto governments (and taxpayers). However, this works only if piracy is actually reduced.
T RUSTED B RAND S ECURITY : N INTENDO
AND
ADV
There is one kind of piracy protection you can’t buy: the trust of your customers. For many years, Nintendo has cultivated a close relationship with its customers. Game players in Japan, the US, and Europe have invested years and years of affection for characters like Mario and are quite fond of their Game Boy and NES consoles. Nintendo works to have a great relationship with its customers. For example, there have been a number of recent anecdotes in which players had problems with their Wii game consoles, contacted Nintendo, and a replacement was rapidly shipped at no cost and with no questions asked. The power of Nintendo’s brand is such that for many years instead of a piracy problem, Nintendo had to deal with counterfeiting. Criminals would create pirated copies of Nintendo game cartridges and try to pass them off as legitimate ones for sale. Nintendo’s piracy resources were focused on education: to protect consumers by educating them on how to identify counterfeit games. The recent, explosive popularity of both the Nintendo DS handheld and Wii game consoles has created a new problem for Nintendo. As the company has expanded from its long-term, long-established customers in the core markets of Japan, the US, and Europe, Nintendo is beginning to face typical piracy problems. These new customers do not have any real loyalty to the Nintendo brand and are much more willing to use tools such as the R4 Data Cartridge (see Chapter 7). This product allows players to download games from the Internet and use them for free instead of purchasing legitimate game cartridges. In 2008, Nintendo is probably the most aggressive and public opponent of piracy of all the console manufacturers and has gone from tolerating tools like R4 to actively fighting them15. Nintendo is not the only company in the entertainment industry to build this kind of brand loyalty. ADV Films, an importer and publisher of Japanese anime (animated films) in the US, has also built strong ties with its customers. ADV has faced the difficult challenge of dealing with the cost of localization (translation into English) of the large number of anime films and TV series. The company cannot afford to translate every anime film or show. Instead it supports independent localization by passionate anime fans through its online community, even when ADV has rights to the product. However, once ADV Films does create the official
Chapter 4 The State of Piracy and Anti-Piracy
29
translation of a product, the community voluntarily abandons the unauthorized copies. U.S. anime fans know that they need to support ADV to ensure access to great products and work to protect the company16. The U.S. anime fan community and ADV have recognized that they need each other.
A NTI -P IRACY I NNOVATORS : N INE I NCH N AILS
AND
D ISNEY
There have been several attempts to fight media piracy by using voluntary payments and hoping for volume sales. Stephen King launched The Plant as a serialized book in 2000. Although he initially met his financial objective of 75 percent payers vs. downloaders (paying $1 for each part), the numbers dropped off. After six parts were released, the project seems to have been abandoned with the last release in December of 2000 (starting with the fourth installment, there was a price increase to $2, the payer rate dropped to 46 percent, and there were substantially fewer downloads)17. The band Radiohead released a low-bandwidth, MP3 version of their album “In Rainbows” for free in October 2007 with the downloader having the opportunity to “pay what they want,” only to abandon the strategy by April of 200818. One band, Nine Inch Nails, seems to have found a way around the problem with a strategy that could be duplicated by any game, music, or movie publisher. Nine Inch Nails basically created a wide range of versions of their products priced for different portions of their audience for their album “Ghosts I-IV.” Nine Inch Nails gave away “Ghosts I” for free, had a $5 download version of the entire album, a $10 double CD set, a $75 deluxe edition, and a $300 Ultra Deluxe Limited Edition set19. This last version was limited to 2,500 copies and sold out in three days— earning the band $750,000 and, even after paying for all of the “goodies” (which probably cost $10 to $20 to produce), no doubt yielded a substantial profit. China is notorious for having severe problems with piracy and counterfeit goods. However, the billions of potential customers are irresistible to companies around the world—including Disney. In 2006, Disney launched a promotion where they offered customers who bought Disney products the opportunity to enter to win a number of prizes ranging from a DVD to a trip to Hong Kong. All the customers had to do to enter the contest was mail the official Disney holographic seal that was included on every official Disney product20. This is a brilliant anti-piracy tactic. Customers are turned from pirate accomplices to detectives. First, they are going to check to see that items are legitimate and, second, any good fake holographs will get sent in to Disney to be used to help hunt down counterfeiters and the stores that carry their products. Entertainment companies could easily use variations on this strategy to battle pirates, counterfeiters, and even used games.
30
Protecting Games: A Security Handbook for Game Developers and Publishers
G OING F ORWARD Based on industry rhetoric, piracy is certainly a serious concern for the traditional console and PC game industry. There are real questions about whether game companies seriously consider piracy during their business and product planning process. I have talked to a number of security companies with various anti-piracy solutions and they typically get a courteous hearing from publishers, but no real business, not even a pilot project. If asked for advice, I recommend that anti-piracy companies look at other markets. Using your brand to fight piracy is an amazingly powerful tactic and can be quite effective. Iconic companies like Apple can charge a premium price for their products in the market and maintain almost fanatical loyalty among their customers. This does require a long-term, strategic investment in building superior products and powerful, supporting marketing. A brand-building tool that can also support anti-piracy is a compelling online service, a topic that I will be revisiting later. Promotions and premium versions are powerful and underused anti-piracy tools in the game industry. Even better, they are funded out of the marketing budget, not the (typically paltry) security budget. Selling concept art and model sculptures, giving away vacations and game libraries, and creating “frequent player cards” are all standard marketing techniques that can also have wonderful collateral antipiracy benefits if used carefully.
Chapter 4 The State of Piracy and Anti-Piracy
31
R EFERENCES 1. R. Carrol (2008), “Casual Games and Piracy: The Truth,” http://www.gamasutra.com/php-bin/news_index.php?story=17350 2. W. Xing (2008), “Piracy Debate,” http://www.chinadaily.com.cn/bw/2008-06/09/content_6746151.htm 3. S. Davis (2007), “Piracy—Fact, Fiction, and Future,” http://www.playnoevil.com/serendipity/index.php?/archives/1674-Piracy-Fact,-Fiction,-and-Future.html 4. S. Hayes (2006), “Piracy Stats Don’t Add Up,” http://www.australianit.news.com.au/story/0,24897,20713160-15306,00.html 5. brownlee (2006), “Pirates to Buyers Ratio for SiN Episode 1? 5:1,” http://kotaku.com/gaming/piracy/ pirates-to-buyers-ratio-for-sin-episode-1-51-190178.php 6. Blizzard (2004), “StarCraft and Warcraft III Accounts Closed,” http://www.battle.net/news/0403.shtml 7. K. Gillen (2008), Wardell: “Piracy Is Not the Primary Issue,” http://www.rockpapershotgun.com/2008/03/12/wardell-piracy-is-not-the-primary-issue/ 8. Cho J. (2008), “Nintendo Wii Ready for Korea Debut,” http://www.koreatimes.co.kr/www/news/biz/biz_view.asp?newsIdx=20735&categoryCode=123 9. C. Ciabai (2008), “Nintendo Starts Epic Battle Against R4 Piracy—The Fight Is On!,” http://news.softpedia.com/news/Nintendo-Starts-Epic-Battle-Against-R4-Piracy-90953.shtml 10. A. Varney (2006), “StarForce Must Die,” http://www.escapistmagazine.com/articles/view/issues/issue_72/414-StarForce-Must-Die 11. EFF (2005-6), “Sony BMG Litigation Info,” http://www.eff.org/cases/sony-bmg-litigation-info 12. Polybren (2008), “Mass Effect, Spore DRM Loosened,” http://www.gamespot.com/news/show_blog_entry.php?topic_id=26385172 13. ESA (2007), “Video Game Industry Applauds Game Pirate’s Sentence,” http://www.theesa.com/newsroom/release_archives_detail.asp?releaseID=20 14. S. Davis (2006), “Modchip Manufacturer Fined $9 Million—Only 332 More Pirates to Go!,” http://playnoevil.com/serendipity/index.php?/archives/846-Mod-Chip-Manufacturer-Fined-9-MillionOnly-332-More-Pirates-to-Go!.html 15. Nintendo (2008), “Nintendo Anti-Piracy,” http://ap.nintendo.com/index.jsp 16. D. Roth (2005), “It’s... Profitmón!,” http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363101/index.htm 17. Wikipedia (2008), “The Plant,” http://en.wikipedia.org/wiki/The_Plant 18. G. Sandoval (2008), “Radiohead Won’t Repeat ‘In Rainbows’ Giveaway,” http://news.cnet.com/8301-10784_3-9932361-7.html 19. Nine Inch Nails (2008), “Ghosts—Order Options,” http://ghosts.nin.com/main/order_options 20. G. Fowler (2006), “Disney Fires a Broadside at Pirates,” http://www.chinadaily.com.cn/world/2006-05/31/content_605106.htm
5
Distribution Piracy
ntil the recent rise of digital distribution, games were available via CDs, DVDs, floppy disks, and proprietary game cartridges. Blank media that can be purchased for pennies, while good for game publishers, also makes piracy economically viable and trivial to implement. There are three ways to fight content duplication:
U
Prevent duplication Detect duplication Use a key that is difficult to duplicate or ignore
P REVENTING D UPLICATION Preventing duplication has become a bigger challenge as games have moved to standard physical media and digital distribution. Originally, many games used proprietary distribution technologies (game cartridges) for a number of reasons, including fighting piracy. The only major game platforms that still use proprietary distribution systems are handheld game consoles. The game cartridge from the Nintendo DS and Sony’s PlayStation Portable (PSP) UMD disk are probably the last generation of proprietary physical media. One important factor is cost. The cost of data storage has plummeted even faster than improvements in processing power and graphics. When storage was expensive, it made sense for game companies to have their own proprietary systems, especially because this had a collateral anti-piracy benefit. Pirates had to basically operate a factory to make counterfeit game cartridges. Widespread, modern outsourced, and low-cost manufacturing effectively eliminates the last vestiges of anti-piracy benefit from using proprietary media.
32
Chapter 5 Distribution Piracy
33
Other anti-piracy techniques take advantage of the way media is physically duplicated to prevent making a useful copy. Videotape protection systems work on this principle. For digital media, there have been several anti-duplication techniques that work by modifying the master CD or DVD during the production process. Other approaches stretch the CD and DVD standards in unconventional ways such as manipulating low-level indexes and offsets to hide portions of the media from standard duplication techniques. The problem with this tactic is that not every product implements all portions of the standard specification the same way, resulting in unpredictable disk failures and customer complaints.
D ETECTING D UPLICATION If you can’t protect the distribution media itself, another approach is to protect the data and detect duplication. The simplest way to do this is to simply label the data as “do not duplicate” so that standard media players will not read or process the data. The regional encoding system used for DVDs that prevents disks formatted for different parts of the world from being played in players for other regions is the most familiar example1. Ironically, some early Sony PlayStation 2s ignored regional coding information for DVDs—a problem that was quickly corrected once it was identified. The most notorious anti-piracy product in the game industry, Starforce, used this strategy (among others). It actually modified the low-level software (drivers) for PC DVD players to detect whether a disk was “Starforce protected.” Although this detected some piracy attempts, it also caused problems for other legitimate applications. The most recent example of this approach came to light through a successful attack on Microsoft’s Xbox 360 console. The Xbox 360 uses standard DVDs for distributing games. DVDs include low-level information that describes the content on the disk so that it can be handled by the appropriate application software in the console. Disks are labeled as music CDs, movie DVDs, rewriteable DVDs, and Xbox 360 game disks. Microsoft has always used digital signatures on Xbox 360 game files to prevent their modification. However, the low-level disk label is not protected. The label is part of the DVD media specification, and Microsoft wanted to use standard DVD players in its console to reduce cost. Hackers took advantage of the ability to update the firmware that is available in most commercial DVD drives. This feature is included for maintainability and to support legitimate updates from the drive vendor. Unfortunately, hackers used this capability to replace the standard firmware with a modified version that reported to
34
Protecting Games: A Security Handbook for Game Developers and Publishers
the game console that disks labeled as rewriteable DVDs were instead reported as Xbox 360 game disks2. This hack has been widely used in Asia and is essentially impossible for the console itself to detect3 (something that can be addressed by a service like Xbox Live, which is discussed in the section entitled “Rich Interaction Systems” in Chapter 9). The power of duplication technologies and cheap mass storage has driven game publishers towards other approaches, particularly in the PC market. All of the things that make a PC useful also make it a powerful tool for piracy—lots of processing power and storage, full access and control of the hardware, and powerful and cheap programming and analytic tools.
C OLLECTABLES , F EELIES ,
AND
O THER S TUFF
If you can’t protect the game media, then you need to find something else that you can protect and tie the operation of the game to it. One of the earliest applications of this strategy was Infocom’s “feelies”4. In the 1970s and 1980s, Infocom produced adventure games that were quite popular. There was no widespread Internet access or even common use of modems, so the local game had to be able to detect if the copy was legitimate. Infocom’s innovative approach was to ship the game with various physical items that were hard to duplicate, yet played an important part in the game and the game experience. Customers valued maps, manuals, decoder rings, and other items that were often tied into game play, and, most importantly, were difficult to duplicate. For a while, game companies went a bit crazy with this approach. Games would require players to type information from game documentation into the application to start or continue play and, at its extreme, players were forced to transcribe entire paragraphs of the manual letter-perfect. In some sense, the rise of collector’s editions today harkens back to this earlier era, but many publishers seem to have forgotten the anti-piracy benefits of physical, tangible items.
D ISK
AS
K EY
Although the CD key is the subject of many complaints today, its early rise was an antidote to the inconvenience and cost of using feelies for authentication. Instead of regurgitating game documentation, players simply had to keep the disk in the computer while they were playing. Initially, the CD was needed because hard drives were too small and expensive to store entire games.
Chapter 5 Distribution Piracy
35
Today, the game installation process still doesn’t install everything from the DVD onto the hard disk. A portion of the game software, or even just a bit of data, is left behind on the DVD and is checked or loaded from the disk when the game is executed. This has become the de facto standard anti-piracy approach for PC games: combining the disk key with some sort of physical or software anti-duplication technology. The rise of the Internet has allowed the creation of another variant of this tactic where the withheld data or code is downloaded in real time from an online server (see the section called “Online Authorization” that follows). Once hard drives got big enough and cheap enough, players didn’t want to have to haul game disks around. After all, if the entire game can be easily stored on the hard drive, who needs a disk? Also, if a player owns 10 or 20 games, she has to keep track of where they all are when she wants to play. Or, even worse, if the customer plays her games on a laptop, the idea of carrying around even a single disk, much less a disk for every game, is very unappealing. Hackers have come up with programs that convince the game that the disk is present or alter the installation process so that items that aren’t supposed to be installed and stored on the hard drive are. These “NO DISK” hacks are terribly popular to this day, even with legitimate, paying customers.
L ICENSE K EYS The license key was developed in parallel with the CD key. This long alphanumeric string allowed the game software to determine whether the user was legitimate or, at least had access to a legitimate game key. License keys have also been used in conjunction with online registration and authentication. A license key is essentially a rather long password and typically works in one of three ways: ID and Checksum Public Key Encryption Online Authorization I discuss each of these methods in the following sections. ID AND CHECKSUM First the key can contain a random ID and checksum. The game program has a mathematical algorithm that the program runs on the random ID portion of the license key to determine whether the computed checksum matches with the checksum provided in the license key.
36
Protecting Games: A Security Handbook for Game Developers and Publishers
The problem with this approach is that hackers often reverse-engineer the process (or game developers are lazy and use a familiar function such as the MD5 standard hash function) and can generate valid license keys on demand. These hack programs are sometimes called, not too cleverly, keygens. This algorithmic process is very tempting for online registration systems because it doesn’t require any storage of keys to validate licenses. Also, distributors and manufacturers can be given the company’s key generation process, which substantially simplifies production: A manufacturer sets up a printer to produce as many license keys as desired. They do not need to coordinate anything with the game publisher, maintain or track how many keys they have produced, store the specific keys that they have produced, or send actual keys back to the publisher to support online registration validation. Also, the game disks are identical, making their production cost low: Generate Random ID Generate Checksum (Random ID) Build License Key = Random ID, Checksum(Random ID)
Verification is also simple: //Checksum algorithm is all that has to be stored in the game software Split License Key into Random ID and Checksum Compute Checksum (Random ID) Compare Computed Checksum with Received Checksum
PUBLIC KEY ENCRYPTION The second license key system replaces the checksum with a public key decryption function (see the glossary). This would appear to stop hackers pretty well. After all, knowledge of the public decryption key does not give access to the secret encryption key: // The game software stores the public key decryption // algorithm and the game’s public key Decrypt License Key with Game Public Key Validate License Key
This just requires hackers to change their tactics. Instead of looking for the checksum algorithm, they simply need to find the stored public key. To complete
Chapter 5 Distribution Piracy
37
the attack, the hacker “finds and replaces” the game public key with one that the hacker has generated. The hacker then uses his own private key to generate whatever license key he wishes. ONLINE AUTHORIZATION The third major approach does not authenticate the key locally, but requires a connection to an online license server operated by the game publisher. In this case, the license key is essentially a password. The game program sends the password to the license server for authentication. Mathematically, the process is identical to the process described for the “ID and Checksum” method, but with the verification carried out at the license server instead of locally: // At some point, the customer enters the license key // into the game application Game Application retrieves License Key Game Application sends License Key to License Server License Server validates License Key License Server sends Validation Message to Game Application Player plays (or not)
The license server can operate just like the local license check, and often does. One advantage of an online license server is that it can detect attempts to reuse license keys on different computers. If the license server stores a list of keys that have been registered, it can reject or take various actions based on a company’s license policy (see the “License Policy” section of Chapter 6). License servers can use two approaches to track keys: a fixed list of issued keys and an algorithmic approach, as described for game application license verification. It is very tempting to use an algorithmic approach to license verification. It requires less storage on the online server and no coordination with whomever is producing the game disks and license keys. The downside of this approach is that it is vulnerable to any exploitation of the key generation process: Once the process is compromised, the license server can only verify the uniqueness of the license keys, not their legitimacy. If, instead, the license server contains a list of all of the license keys that have been legitimately issued, it is much less vulnerable. First, there is no need to create a license key generation algorithm: The keys can simply be stored in bulk. If a key is compromised before it has been issued, it can be removed from the license server list and the company can recover from the compromise or avoid the compromise entirely.
38
Protecting Games: A Security Handbook for Game Developers and Publishers
It is possible for the key producer and license server to use a shared secret key to generate individual license keys. In this case, the two parties share a license generation key (LGK) and a license generation function (license_generator). The license generation function creates license keys based on an index (i) and the LGK: // algorithm to generate the ith license key license(i) = license_generator(LGK,i)
The key producer and license server simply need to exchange the latest index value for the license key that has been generated. The license server can then generate all of the license keys that have been created since the last batch by simply iterating through the new index values: // if last license produced has L and the new last index is N for(i=L+1;i