NCSoft to Roll Out Hackable Anti-Hack Software

Greyzone writes "NCSoft is preparing to use a security product to protect the Lineage II game process from user hacks while running on a user PC. Unfortunately, this product has serious flaws of its own. Securityfocus.com explains the serious flaws and the possible hacks that can be used against user PCs that have installed this software." From the article "It is true that even with this vulnerability the user must still be tricked into running a malicious application that exploits it. However, in South Korea, where the Gameguard service is widely used, net cafes have become part of the social fabric. These machines are ripe fruit for damage."

Re:That's just sad.

[Scrameustache]

you can't block every hole in security. Sometimes you just have to hope, right?

How's about not introducing new holes? That would be a good start.

Yes and no

[Pan+T.+Hose]

Still, you can't block every hole in security. Sometimes you just have to hope, right?

Yes, you can. No you don't. Software is just an applied form of discrete mathematics. "Beware of bugs in the above code; I have only proved it correct, not tried it," as Donald Knuth once said. It is possible to present a formal proof of correctness for any algorithm. It is nearly impossible and certainly impractical when you have a big mess of spaghetti code like with most of software that is utter crap, but it is possible nonetheless when you know what are you doing and design appropriately, with very clean, small and isolated parts of your system responsible for enforcing its security policies. Take a look at such operating systems as KeyKOS and EROS. E.g. read Verifying Operating System Security paper by J. S. Shapiro and S. Weber: "This paper presents a proof of correctness of the EROS operating system architecture with respect to confinement." Read some essays by Norman Hardy, especially those on Capability Theory. This is hardly a new idea, see GNOSIS: A Prototype Operating System for the 1990s paper by Bill Frantz, Norm Hardy, Jay Jonekait and Charlie Landau, written more than 25 years ago. The bottom line is: it is certainly possible to have a 100% secure system, but developers don't bother because users don't care.