Slashdot Mirror
The State of Security in MMORPGs
Anonymous writes "Security researchers Greg Hoglund and Gary McGraw poked around in World of Warcraft and other online games, finding vulnerabilities and exploiting the system using online bots and rootkit-like techniques to evade detection. Their adventures in online game security became fodder for the book,
Exploiting Online Games. McGraw
discussed with securityfocus the state of security in modern video games, cheating and anti-cheating systems, how the market for cheats, exploits, and digital objects is growing, what we could learn from the design of these huge systems, and how game developers react to submissions of security vulnerabilities."
The market for cheats and exploits is so large primarily because of the "make it a grind!" trap that most MMORPGs fall into. If you're into a MMORPG, and you "need" cash for a certain item, or to recoup your costs for the last big raid, or what have you, you seem to get one of two choices. You can grind away whatever playtime you have in order to get the cash legitimately, you can buy it from someone that is grinding away (or perhaps using exploits), or you can turn to exploits/hacks/whatever yourself.
I understand that some percentage of the playing population is going to cheat, hack, or use an exploit simply because they can. But if game design didn't make it so attractive to so many people to reap the rewards that go along with it, it would be a pretty minor problem. In my opinion, as soon as you're killing the 3,000th slightly different textured mob for his toe...or running a dungeon you could do in your sleep just to make sure a fellow guild members armor is a little bit different color so you have a shot at the next dungeon, MMORPGs start losing some of their fun. I don't know of too many people that really enjoy running things that are on "farm" status, but there's a necessity to grind it out built into the games.
I know it keeps people hooked longer, but it also keeps the temptation to play...creatively...in people's mind.
"It is a miracle that curiosity survives formal education." -Albert Einstein
Just ask regular players about the security of the MMORPG's that they play.
Most are regular hack fests.
Ultima Online: Scripting in the number one player complaint, but EA doesn't give a rats ass, they never ban, despide their TOS saying otherwise. Other cheats include ways to make players drop items, and using bots to monitor certain parts of the game for the sole purpose of knowing exactly when to raid, and then there is all the speed hacking (EG movement hacks) that goes on.
Lineage II: I played for 6 months, and never met another player, just about 4000 different bots.
LOTRO: Besides the game missing something, it had its share of bots.
WoW: I get spammed with cheat site URL's every time I login, regardless of realm.
Of all the above WoW seems to have it the most under control, but that doesn't mean they don't have room to improve.
Cheating is so rampant in Ultima Online anymore, that the fricken game isn't worth logging into.
They don't care if their games are rotten with farmers and trading of game assets/currency.
All they will do is buy external software like GameGard, whose primary function is to hob resources of the customer's PC and make it less stable.
Thus, the low-end PHB will be able to claim to his boss he is actively fighting the problem, with GameGard's monthly invoice in hand for proof.
Meanwhile the players will lament about the enormous parasitic-like farmer population, detrimental to the game itself, and in plain view of anyone who actually logs in the game.
Blizzard has a cheat monitor process calls the Warden which scans the active process list for known cheat programs. Hiding from a process scanner is "rootkit-like". It is indeed a war zone out there. I wonder if these guys ever play core-wars.
http://en.wikipedia.org/wiki/Warden_(software)
--
Warden (also known as Warden Client) is an anti-cheating tool integrated in Blizzard Entertainment games such as Diablo II, StarCraft (since patch 1.15), and most notably World of Warcraft. While the game is running, Warden uses API function calls to collect data on open programs on the user's computer and sends it back to Blizzard servers as hash values to be compared to those of known cheating programs.[1] Privacy advocates consider the program to be spyware.[2]
--
Well after reading the article, following links, and such its obvious the biggest thing they exploited with WOW during the course of writing and selling their book is the name. In other words, unless they had referenced WOW their book would be relegated to the dust bins of book sellers.
These two seem hell bent on FUD with Blizzard in regards to Warden. I haven't connected the dots but it appears these are either the same people who flew off the handle when Warden changed or are in the same group. Basically take something and use choice wording and catch phrases to imply sinister behaviour where none really exists. IOW - 911 conspiracy hacks read from the same play book. These guys just seem to be on some damn fool crusade against Warden that it borders on silly. The very same people probably don't blink when it comes to handing over their CC/Debit card to someone behind the counter freak out over a company that actually has to take steps to protect the data the players voluntarily entered when subscribing!
As for WOW itself, location hacks exist as the client and server are not always in synch for these actions. The biggest impact "cheaters" have on WOW is on the non-cheating players. Money transfers between accounts take an hour to complete, sales via the auction house are no longer immediate but instead take an hour, and trial accounts are so restricted that teaching someone to play with one is an exercise in frustration.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
No, it means literally what it says. Rootkit-like techniques to evade detection; specifically, process stealthing.
Because, for example, Blizzard's polymorphic anti-cheat "Warden" tries to scan process lists, the memory space of other processes, window titles - and, if they want, your filesystem - and because it can be updated at any time, if you want to spend any serious time looking at the game in that way, one of the very first things you're going to need is a good stealth driver to pull the wool over its eyes.
It shouldn't be that difficult, you'd think. Both Inner Space and Glider, for example, have modules to do just that, and they're running a kernel mode driver which Warden doesn't have the advantage of, but even so, the stealth is woefully incomplete which is one reason people get massbanned.
Of course the other reason is that bots tend to look rather obvious to any other player, and get reported. The challenge there is to build a better bot, (but since there's chat involved in the game, you'd better get ready for a Turing test; since that isn't an option, discretion is the better part of valour).
The only way that online games are going to have a chance at getting away from these issues is with the implementation of skill-based advancement instead of advancement based on accumulated experience/gold. As it stands, a high-level player in many online games doesn't need to have learned any particular skill themselves, but a simple accumulation of wealth via goldsellers to buy high-quality equipment and mindless hack-n-slash, combined with good macros, and they can usually come out on top.
Contrast this approach with what's seen in something like Jumpgate, where players have to actually develop their skill as a pilot in order to be successful in combat. I'd expect that gold-buying in that game is significantly lower per-capita than in your standard grind games like WoW or LotRO.
When we pray for the end of goldselling, what we're really hoping for is the beginning of an era where non-transferable capital (the skill you develop from playing the game) becomes the dominant factor in advancement.
Online games (and any game in which you accumulate posessions) are just variations on a Skinner box. Put a gamer in a box, have him peck away at moving about the world, and give him possessions randomly. It's the same sort of thing that makes people sit in front of slot machines for hours. If they *did* make a hackproof game, only a few people would play it and it would fail financially.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Massively just did an interview with John Smedley and touched upon the issue of farmers/plat sellers and how they are using social hacking to bring in profits and hurt the company.
Part 1: http://www.massively.com/2008/01/14/a-ces-interview-with-soe-ceo-john-smedley-pt-1/
Part 2: http://www.massively.com/2008/01/14/a-ces-interview-with-soe-ceo-john-smedley-pt-2/
SOE owns and operates Everquest, Everquest 2, Star Wars Galaxies, and other MMOs.
I think the issue of farming is higher on the radar now than it ever has been. The behinds the scenes things are really frustration. A lot of these farmers are essentially stealing from us. What they do is they charge us back all the time. They use a credit card -sometimes stolen, sometimes not - to buy an account key. They use the account for a month, and then they call the credit card company and charge it back. We have suffered nearly a million dollars just in fines over the past six months; it's getting extremely expensive for us. What's happening is that when they do this all the time, the credit card companies come back to us and say "You have a higher than normal chargeback rate, therefore we'll charge you fines on top of that."
I was a GM in Everquest for several years. I could chime in on my experience, which mostly related to scouting out in-game cheating. We were trained to look for signs of more elaborate types of cheats and report them higher up in the chain.
In most of these games, the main thing wasn't really "cheating" as much as it was "exploiting" flaws of characteristics of the game's design. On some maps it was possible to "fall through the world" and people could effectively position themselves so they could attack monsters but the monsters could not attack them. This was also accomplished by using creative means to get on top of structures in the game geometry that the designers had never intended to be accessible. There were places for example, where we'd often find PCs on roofs in hostile towns attacking high-level NPCs and due to the pathing, were able to not be counter-attacked. There was a constant cat-and-mouse game trying to find out how they were pulling these things off. It was more interesting than annoying usually. I was always impressed by some of the creative ways people would try to give themselves an advantage.
Midway into EQ's popularity a number of software programs started to appear. These really blew the lid off the game's integrity. I forget the name of this one utility, but it was a utility that managed to decrypt the game stream, and due to the way the game was designed, when you entered a zone, this program could identify the coordinates of and nature of every NPC and PC in a certain range. SOE's game design, which often sent more info to the client than the client needed to make available to the user, created a situation where once someone decrypted the data, they had access to what was going on. Suddenly rare NPCs were being killed within minutes of appearing, and when a GM appeared in a zone to investigate, the perps knew instantly we were there and would logoff. Again, a cat-and-mouse game erupted where the developers started routinely changing the game's encryption and eventually they curtailed much of this behavior and made it too difficult to use the software. But at its heyday, the cheats were quite impressed. You'd have your main game client, and then you'd have a second computer sniffing the traffic, decoding it and displaying a real-time map of all PCs and NPCs in the zone. Very high-tech. Also very difficult to catch. Since the cheat program wasn't even on the same PC, programs like WoW's "Warden" wouldn't help. The only way you could identify someone cheating was to watch their in-game behavior. When you'd see PCs make a beeline for a rare NPC within seconds of it spawning, you knew something was up.
Last but not least, in these games, the servers log just about everything. If they want to catch a cheater, the behavior is quite easy to spot. I think the biggest issue with security in MMORPGS isn't being able to catch people cheating, it's trying to figure out how to keep the proper balance between game integrity and profitability. Probably 90% of people playing MMORPGs have broke rules and most of this behavior is on file. The companies cannot afford to take too hard a stance unless the transgressions are creating big problems.
Eh what? First off, FFXI isn't made by Sony, it's made by Square Enix. Also it wasn't the FFXI Site that got hacked, it was a major fan site outside of SE's control that had an Ad that would install malicious code, the site was ffxi.somepage.com (it has now been corrected is my understanding, safe to visit, or just use Opera or Firefox to work around it)
SE is dropping the ball in this area though, I know a few people that got screwed and lost their accounts like this.
One of the things that needs to be remembered here about all of this concern about game hacks, bot players, gold sellers, and other nefarious aspects of the MMORPG universe is that a considerable amount of what happens here is just sheer intellectual curiosity.
Face it, network packets are for many software developers hardly a mystery, and trying to reverse engineer the communications protocols between a game server and a client is hardly the most challenging task in computer science. If the game publisher decides to encrypt the communication in some way, that encryption is easy to reverse engineer as well... especially if you have the software for the client on your own machine. It may crack up the skill level a little bit if the "hacker" has to decompile the client in order to find the encryption mechanism, but that just makes it all that more of a prize to win and find out.
For several of the on-line games that I play, I'll admit that I've been tempted to try this myself just to see how it was done. And there are major communities who love to do this stuff. For example, the game Runescape has a fairly good group of people who have tried to reverse engineer the communications protocols, and have gone so far as to recreate the server software itself and re-implement a client using the same protocol. One excellent example is Moparscape (Warning: click on this link at your own risk... these are real hackers here!) This is not the only server like this, I should add.
That real-world cash is also injected into the need/demand for these sort of reverse engineering efforts is really just icing on the cake for many of these individuals who get into this activity.
How you can get rid of this "game about a game" effort in terms of an arms race between the software publisher and the hacker community trying to reverse engineer the communications protocol may be something worth investigating. I'm certain that, as usual, the game industry is probably far more secure in its communication protocols than most other "real-world" activities like bank transactions and electronic voting, perhaps even military communications. This would be as a result of the vested interested of those young enough to have the patience and determination in order to hack this communications system.
I'm also certain that even the software developers who write these games have a fun time trying to come up with strategies in order to thwart the hacker community. For them, it is a fun intellectual exercise as well, especially when you are going up against people brighter than you are. So in this sense, it is a sort of chess game with slightly higher stakes on the line. And once a "hacker" has obtained all of this arcane knowledge... what are they supposed to do with that hard-won knowledge? (besides give themselves the best equipment in the game.)
That, I think, is my biggest complaint. Properly designed economies would go a long way to reduce the incentive to cheat. But WOWs economy, especially lately, is spectacularly broken. Most raw materials are worth more than anything you can craft out of them. Low-level items are either useless and impossible to sell, or--if useful--people with high level alts have priced them at a range no new-user can ever afford. I would suggest MMORPG designers spend less time on the technical aspect of the cheats, more time on the internal game economics that motivate them. And no, it's not really the grinding. Just the economy. Raw materials + labor should always have greater value than the raw materials alone, for example.
I find security in MMORPGs to be as bad as you can possibly imagine. I get killed all the time, and there's never any police around to report the crime to. Don't get me started.
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
Use a condom?
I got a copy of their book as part of our multimedia research group. The first half is a reasonably approachable treatment of networked application type security issues, sure it's constantly making reference to games and gambling but in an era where most of our students in Comp Sci have played, or do play online games it makes for an understandable example. I would say we pulled a bunch of stuff out of that for our web apps course and some of it for our general software engineering courses. The latter half, with a rather extensive focus on world of warcraft, and it's security from warden (which now transmits encrypted so an 'out of the box' view of the book and their software governor won't do you much good) is insightful, if somewhat traumatic to try and read. Unless you're really inclined to go disassembling your online game much of the benefits of this book can be found elsewhere, but for any game developer it's probably worth reading over a couple of hours to get an appreciation for the sort of attacks you'll face and someone elses take on the same problem in case there's something you've missed.
"Do the security features in Windows Vista -- such as limits on HD playback and signed drivers -- help in fighting cheaters?".
I'm glad I'll be able to use my modded character over an HDMI cable, and I can install a 3rd party device without a signed driver to get around this.
Who thinks up these questions?
That depends on what you want to call "shady." He's certainly not done anything illegal from the looks of it. Mind you, it's not illegal (correct me if I'm wrong) to cheat at online games. From what I gathered reading the article, it deals exclusively with client-side hacks/bots and such--feeding incorrect data back to the server, disabling cheat monitoring software that comes with the game, that kind of stuff. Certainly it's in violation of the Terms of Service of the games, but that really doesn't make it "shady" in any meaningful way.
Obviously, if he had broken into their secured servers, that would be another matter entirely, but from what it seems he did nothing of the sort.
I actually used to play a MMO called Asheron's Call about 6 years ago. I played honestly for about a year, and only made it to level 80 or so. It was a real grind to get anywhere. Eventually my grind partner quit and decided to play another MMO, which left pretty much alone. I was a member of a 'monarchy', or guild if you may, but it really didn't help alleviate any of my issues.
So I switched to another guild which was well known for their botting. You had to prove yourself before you got access to the bot software though, so I got stuck in what they called an 'experience chain'. Everyone would swear allegiance to someone else, and a portion of your XP would be passed up the chain. If you had good enough leadership and loyalty skills the numbers would actually multiply as it passed up. After leveling a new character to about 70 or 80 with the chain, I was allowed access to the bot software. Of course it was against the game's TOS, but we had our ways around it.
Most of us would run our bots all night farming dungeons, but the admins would show up every once and a while to figure out if we were at the keyboard at all. What we actually did was have all chat communication funneled through and IRC channel that someone was generally watching. Our characters could also be remote controlled from the IRC channel with proper authentication as well. That defeated their ban stick for a while, because it was only illegal to bot when you weren't at the keyboard.
Eventually the admins got smart and started showing objects to the characters. We were asked to describe the color or what the item was. I do believe it was possible to get around that limitation, but I never stuck around long enough to find out. At about that point I had landed my current job and couldn't devote the time to play any more. And with the botters, you needed to be able to check your character and be available 24/7... even if you weren't actually playing the game all the time.
So I guess my point is, this probably happens already since we were doing it years ago!
Find Nearby Indie Events
Download the free trial for Lotro, create a character and head to Bree. There is a quest there that starts at night, from a ghost near the southern gate, he asks you to find a ring that was lost at some baracks. Yet you don't recall any baracks even being at bree. It is suggested you ask around.
Want to guess how many people INSTANTLY upon receiving that quest ask where to find this ring? 10%? 20%? I once just parked myself for an hour at night time near that ghost, just to see how many people that came near him would next ask the question. 8 people. 6 asked in public chat, the others might very well have done the quest before or asked in private chat.
People don't want to explore.
SWG had a little exploration and most people never bothered with it until the path to Jedi required it.
On the way back from Dol Dinen to Esteldin you come across a wounded ranger, if you approach he warns of a trap and you are ambushed by 3 earthkins, fairly though critters. It isn't a quest, just a bit of color for the game. Again a bit of social experimentiation quickly showed me that most players had NEVER heard of this, quests are shown with a ring, there was no ring so people didn't explore to see what it was all about because no XP means a wast of time.
It is depressing, but I sadly think that the market has spoken and the market has said, we want more WoW, please don't make us think or give us choices. Lead us by the hand and give us our XP and levels.
And to be fair, I am not sure I entirely disagree. There is a fine line between an open-ended free form quest and sending a player out there without a clue. I remember a east european game, SS (not sure about the name, tactical turnbased squadgame in 3D enviroment that was totally destructable), it had quests/missions where on higher difficulties you weren't told what to do. You just appeared on a map and good luck finding out what your objectives were. A challenge or wasting my time?
Like many a MMO player I have thought long and hard about how you could make a better game, but I keep hitting the same old problem, can the user handle it and sadly the answer is no. If you wants millions of subscribers you got to accept that you are developing for an average IQ well below 100. Retards. Lazy retards. Lazy dyslexic retards.
Go on, come with an idea for a quest or game mechanism and then ask yourselve, how will a user who refuses to read or look at his interface deal with it. One of the biggest challenges in the endgame of MMO's comes not from the game itself, but in finding a group of people that after months of play actually managed to get a clue. It sounds amazing but as a raid leader you would be suprised how many times you get a newbie who must be playing on someones elses account because with their skill they should have died at the loading screen.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I'd just point out that bypassing Blizzard's 'Warden' monitoring software is not against their TOS. Or at least it didn't use to be. They told us how to bypass it after all the furor about privacy concerns over Warden scanning our systems for all running processes.
Essentially, rather than validating data on their servers, they're pushing an application to the clients to report any process they feel is inappropriate. I personally felt Warden was inappropriate, and never allowed it to run.
It is amazing what you can accomplish if you do not care who gets the credit. -- Harry Truman