Slashdot Mirror
The State of Security in MMORPGs
Anonymous writes "Security researchers Greg Hoglund and Gary McGraw poked around in World of Warcraft and other online games, finding vulnerabilities and exploiting the system using online bots and rootkit-like techniques to evade detection. Their adventures in online game security became fodder for the book,
Exploiting Online Games. McGraw
discussed with securityfocus the state of security in modern video games, cheating and anti-cheating systems, how the market for cheats, exploits, and digital objects is growing, what we could learn from the design of these huge systems, and how game developers react to submissions of security vulnerabilities."
The market for cheats and exploits is so large primarily because of the "make it a grind!" trap that most MMORPGs fall into. If you're into a MMORPG, and you "need" cash for a certain item, or to recoup your costs for the last big raid, or what have you, you seem to get one of two choices. You can grind away whatever playtime you have in order to get the cash legitimately, you can buy it from someone that is grinding away (or perhaps using exploits), or you can turn to exploits/hacks/whatever yourself.
I understand that some percentage of the playing population is going to cheat, hack, or use an exploit simply because they can. But if game design didn't make it so attractive to so many people to reap the rewards that go along with it, it would be a pretty minor problem. In my opinion, as soon as you're killing the 3,000th slightly different textured mob for his toe...or running a dungeon you could do in your sleep just to make sure a fellow guild members armor is a little bit different color so you have a shot at the next dungeon, MMORPGs start losing some of their fun. I don't know of too many people that really enjoy running things that are on "farm" status, but there's a necessity to grind it out built into the games.
I know it keeps people hooked longer, but it also keeps the temptation to play...creatively...in people's mind.
"It is a miracle that curiosity survives formal education." -Albert Einstein
Just ask regular players about the security of the MMORPG's that they play.
Most are regular hack fests.
Ultima Online: Scripting in the number one player complaint, but EA doesn't give a rats ass, they never ban, despide their TOS saying otherwise. Other cheats include ways to make players drop items, and using bots to monitor certain parts of the game for the sole purpose of knowing exactly when to raid, and then there is all the speed hacking (EG movement hacks) that goes on.
Lineage II: I played for 6 months, and never met another player, just about 4000 different bots.
LOTRO: Besides the game missing something, it had its share of bots.
WoW: I get spammed with cheat site URL's every time I login, regardless of realm.
Of all the above WoW seems to have it the most under control, but that doesn't mean they don't have room to improve.
Cheating is so rampant in Ultima Online anymore, that the fricken game isn't worth logging into.
Blizzard has a cheat monitor process calls the Warden which scans the active process list for known cheat programs. Hiding from a process scanner is "rootkit-like". It is indeed a war zone out there. I wonder if these guys ever play core-wars.
http://en.wikipedia.org/wiki/Warden_(software)
--
Warden (also known as Warden Client) is an anti-cheating tool integrated in Blizzard Entertainment games such as Diablo II, StarCraft (since patch 1.15), and most notably World of Warcraft. While the game is running, Warden uses API function calls to collect data on open programs on the user's computer and sends it back to Blizzard servers as hash values to be compared to those of known cheating programs.[1] Privacy advocates consider the program to be spyware.[2]
--
Well after reading the article, following links, and such its obvious the biggest thing they exploited with WOW during the course of writing and selling their book is the name. In other words, unless they had referenced WOW their book would be relegated to the dust bins of book sellers.
These two seem hell bent on FUD with Blizzard in regards to Warden. I haven't connected the dots but it appears these are either the same people who flew off the handle when Warden changed or are in the same group. Basically take something and use choice wording and catch phrases to imply sinister behaviour where none really exists. IOW - 911 conspiracy hacks read from the same play book. These guys just seem to be on some damn fool crusade against Warden that it borders on silly. The very same people probably don't blink when it comes to handing over their CC/Debit card to someone behind the counter freak out over a company that actually has to take steps to protect the data the players voluntarily entered when subscribing!
As for WOW itself, location hacks exist as the client and server are not always in synch for these actions. The biggest impact "cheaters" have on WOW is on the non-cheating players. Money transfers between accounts take an hour to complete, sales via the auction house are no longer immediate but instead take an hour, and trial accounts are so restricted that teaching someone to play with one is an exercise in frustration.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
No, it means literally what it says. Rootkit-like techniques to evade detection; specifically, process stealthing.
Because, for example, Blizzard's polymorphic anti-cheat "Warden" tries to scan process lists, the memory space of other processes, window titles - and, if they want, your filesystem - and because it can be updated at any time, if you want to spend any serious time looking at the game in that way, one of the very first things you're going to need is a good stealth driver to pull the wool over its eyes.
It shouldn't be that difficult, you'd think. Both Inner Space and Glider, for example, have modules to do just that, and they're running a kernel mode driver which Warden doesn't have the advantage of, but even so, the stealth is woefully incomplete which is one reason people get massbanned.
Of course the other reason is that bots tend to look rather obvious to any other player, and get reported. The challenge there is to build a better bot, (but since there's chat involved in the game, you'd better get ready for a Turing test; since that isn't an option, discretion is the better part of valour).
Massively just did an interview with John Smedley and touched upon the issue of farmers/plat sellers and how they are using social hacking to bring in profits and hurt the company.
Part 1: http://www.massively.com/2008/01/14/a-ces-interview-with-soe-ceo-john-smedley-pt-1/
Part 2: http://www.massively.com/2008/01/14/a-ces-interview-with-soe-ceo-john-smedley-pt-2/
SOE owns and operates Everquest, Everquest 2, Star Wars Galaxies, and other MMOs.
I think the issue of farming is higher on the radar now than it ever has been. The behinds the scenes things are really frustration. A lot of these farmers are essentially stealing from us. What they do is they charge us back all the time. They use a credit card -sometimes stolen, sometimes not - to buy an account key. They use the account for a month, and then they call the credit card company and charge it back. We have suffered nearly a million dollars just in fines over the past six months; it's getting extremely expensive for us. What's happening is that when they do this all the time, the credit card companies come back to us and say "You have a higher than normal chargeback rate, therefore we'll charge you fines on top of that."
I was a GM in Everquest for several years. I could chime in on my experience, which mostly related to scouting out in-game cheating. We were trained to look for signs of more elaborate types of cheats and report them higher up in the chain.
In most of these games, the main thing wasn't really "cheating" as much as it was "exploiting" flaws of characteristics of the game's design. On some maps it was possible to "fall through the world" and people could effectively position themselves so they could attack monsters but the monsters could not attack them. This was also accomplished by using creative means to get on top of structures in the game geometry that the designers had never intended to be accessible. There were places for example, where we'd often find PCs on roofs in hostile towns attacking high-level NPCs and due to the pathing, were able to not be counter-attacked. There was a constant cat-and-mouse game trying to find out how they were pulling these things off. It was more interesting than annoying usually. I was always impressed by some of the creative ways people would try to give themselves an advantage.
Midway into EQ's popularity a number of software programs started to appear. These really blew the lid off the game's integrity. I forget the name of this one utility, but it was a utility that managed to decrypt the game stream, and due to the way the game was designed, when you entered a zone, this program could identify the coordinates of and nature of every NPC and PC in a certain range. SOE's game design, which often sent more info to the client than the client needed to make available to the user, created a situation where once someone decrypted the data, they had access to what was going on. Suddenly rare NPCs were being killed within minutes of appearing, and when a GM appeared in a zone to investigate, the perps knew instantly we were there and would logoff. Again, a cat-and-mouse game erupted where the developers started routinely changing the game's encryption and eventually they curtailed much of this behavior and made it too difficult to use the software. But at its heyday, the cheats were quite impressed. You'd have your main game client, and then you'd have a second computer sniffing the traffic, decoding it and displaying a real-time map of all PCs and NPCs in the zone. Very high-tech. Also very difficult to catch. Since the cheat program wasn't even on the same PC, programs like WoW's "Warden" wouldn't help. The only way you could identify someone cheating was to watch their in-game behavior. When you'd see PCs make a beeline for a rare NPC within seconds of it spawning, you knew something was up.
Last but not least, in these games, the servers log just about everything. If they want to catch a cheater, the behavior is quite easy to spot. I think the biggest issue with security in MMORPGS isn't being able to catch people cheating, it's trying to figure out how to keep the proper balance between game integrity and profitability. Probably 90% of people playing MMORPGs have broke rules and most of this behavior is on file. The companies cannot afford to take too hard a stance unless the transgressions are creating big problems.
I find security in MMORPGs to be as bad as you can possibly imagine. I get killed all the time, and there's never any police around to report the crime to. Don't get me started.
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
One of the things that you miss here is the fact that many role-playing games (I'm including pencil and dice games here as well as stand-alone video games and MMORPGs) try to give you the simulation of being something which you decidedly are not. You may be a pencil-necked geek with a host of allergies (or in my case an over weight middle-aged software engineer), but you get into the games so that you can live out some sort of fantasy of being something you are not right now.
So the "skills" you acquire are something not entirely related to the activity you are doing "in game".
Still, the comment of a previous poster to your comment here is very appropriate: If you "cheated" your way into gaining a certain position/in game skill level by virtue of a gold farmer or some other hack, you really don't understand all of the subtle methods of using all of the options at your disposal. You certainly won't be able to take on even NPC monsters that would easily be defeated by somebody at your current "in-game" skill level. At the same time, even in a "grind" game (or even more so in those kind of games), you can take somebody with considerable experience in the game and see them excel at achieving in-game ranking even with a brand new character due to their advanced knowledge of techniques used to play the game, including knowledge of various locations and when to fall back and try again some other time.
Heck, I have actually enjoyed starting out all over again from scratch on a few occasions, just to get a little bit of a challenge back into the game. But I level up oh so much faster than my contemporaries who created brand new accounts with me that they just look puzzled when I walk by a couple of days later being twice or three times their "level". In game experience does matter, and it translates across in a whole bunch of ways.
Your suggestion that player rankings (combat levels are just another way for players to compare each other) bring about a desire to push their ranking up with real-world cash is certainly something worth mentioning. But in the long run those are artificially inflated rankings anyway. It doesn't deal with the other problems associated with real-world item trading, and IMHO there will always be those who try to find ways to "cheat" the system with cash. That can be through a faster network connection, better computer/graphics card, cheat program that let's you get an attack in 1/2 second earlier, or whatever means you can think of. This has always been the case, even for games like Doom and Quake that didn't even really have levels to compare against. And I knew people who did "cheat" at Quake and were proud of it.