You are previewing Protecting Games: A Security Handbook for Game Developers and Publishers.
O'Reilly logo
Protecting Games: A Security Handbook for Game Developers and Publishers

Book Description

Security measures are a critical piece of the game development process because they not only affect the player's ability to safely access and enjoy a game but a publisher's ability to profit from it. Protecting Games: A Security Handbook for Game Developers and Publishers provides IT and game security professionals with the solutions and tools they need to solve numerous game security problems, and an understanding of security principles that can be applied to game projects to prevent security issues. The book covers longstanding issues such as piracy and cheating and also new concerns like gambling, privacy, and protecting children. Security issues are addressed at the technical, business, operational, and design levels, with both technical and non-technical countermeasures and solutions discussed. And case studies are presented as realworld examples of the types of security concerns games and game developers face. You can easily jump to the key topics that are of interest to you, or work your way through the book. Protecting Games: A Security Handbook for Game Developers and Publishers makes understanding and resolving game security issues less intimidating, and provides practical security solutions that can be applied right away.

Table of Contents

  1. Copyright
    1. Dedication
  2. Acknowledgments
  3. About the Author
  4. About the Contributors
  5. Introduction
    1. Know Your Foe
    2. Structure and Content
    3. Attack Tools and Techniques
    4. Onward
  6. I. The Protection Game
    1. 1. Game Security Overview
      1. What Is Game Security?
        1. When Should you Care About Game Security?
        2. Who Should Worry About Game Security?
        3. The Game Security Challenge
      2. References
    2. 2. Thinking Game Protection
      1. Independence
      2. Lazy, Cheap, or Stupid
        1. Laziness
        2. Being Cheap
        3. Stupidity (Ignorance Is Bliss, for a While)
      3. Threats, Vulnerabilities, and Risk
      4. Beyond Protect, Detect, React
      5. Asymmetric Warfare
      6. Process, Testing, Tools, and Techniques
      7. Second Grader Security
      8. References
  7. II. Piracy and Used Games
    1. 3. Overview of Piracy and Used Games
    2. 4. The State of Piracy and Anti-Piracy
      1. Determining the Scope of Piracy
      2. Trusted Brand Security: Nintendo and ADV
      3. Anti-Piracy Innovators: Nine Inch Nails and Disney
      4. Going Forward
      5. References
    3. 5. Distribution Piracy
      1. Preventing Duplication
      2. Detecting Duplication
      3. Collectables, Feelies, and Other Stuff
      4. Disk as Key
      5. License Keys
        1. Id and Checksum
        2. Public Key Encryption
        3. Online Authorization
      6. Splitting and Key Storage
        1. Splitting Data
        2. Obfuscating Data
        3. Splitting and Obfuscating Data
      7. Busted Pirate: Now What?
      8. References
    4. 6. DRM, Licensing, Policies, and Region Coding
      1. The Basics of DRM
      2. Why DRM Doesn’t Work
      3. Types of DRM Systems
        1. Fingerprinting and Covert Fingerprinting
        2. Watermarking
        3. Security Labels and Tags
        4. Digital Signatures
        5. Encryption
        6. Proprietary Encoding
        7. Obfuscation
        8. Split Delivery
      4. License Policy
      5. References
    5. 7. Console Piracy, Used Games, and Pricing
      1. Attacking Consoles
      2. The Used Games Market
      3. Pricing Pirates Out of Business
      4. References
    6. 8. Server Piracy
      1. Server Piracy Trends
      2. Authenticating the Server
      3. References
    7. 9. Other Strategies, Tactics, and Thoughts
      1. Measuring Piracy
      2. Fighting Pirate Networks
      3. Multi-Player Gaming
      4. Rich Interaction System
      5. Digital Affiliate System
        1. Das Media Asset
        2. DMA Player
        3. DMA Registry
        4. Making Pirates into Resellers
      6. Playing with Secure Digital Distribution
      7. References
    8. 10. Anti-Piracy Bill of Rights
      1. Basic Fair Use Principles
      2. Registration Options
      3. Installation Options
      4. Connection Options
      5. References
    9. 11. The Piracy Tipping Point
      1. Determining the Goal of Anti-Piracy Policies
      2. References
  8. III. Cheating
    1. 12. Overview of Cheating
    2. 13. Cheating 101
      1. Cheating and the Game Industry
      2. Fair Play
      3. Cheat Codes
      4. The CARRDS Reference Model
      5. The Remote Data Problem
        1. State-Based Networking
        2. Client/Authoritative Server Networking
        3. Action-Based Networking
      6. Security, Trust, and Server Architectures
      7. Random Events
      8. Player Collusion
      9. Business Models and Security Problems
      10. References
    3. 14. App Attacks: State, Data, Asset, and Code Vulnerabilities and Countermeasures
      1. Memory Editors, Radar, and ESP
      2. Data Obfuscators
      3. Code Hacks and DLL Injection
      4. Blind Security Functions, Code Obfuscators, and Anti-Tamper Software Design
      5. Save Game Attacks, Wallhacks, and Bobbleheads
      6. Secure Loader and Blind Authentication
      7. References
    4. 15. Bots and Player Aids
      1. Is It “Help” or Is It Cheating?
      2. CAPTCHAs: Distinguishing Players from Programs
      3. Cheat Detection Systems
      4. References
    5. 16. Network Attacks: Timing Attacks, Standbying, Bridging, and Race Conditions
      1. ACID, Dupes, and SQL Attacks
      2. Defensive Proxies
      3. Hacker Proxies
      4. Thinking About Network Time: Act, But Verify
      5. Securing Time
      6. References
    6. 17. Game Design and Security
      1. Design Exploits
      2. Collusion
      3. Trivia Games
      4. Word, Number, and Puzzle Games
      5. Algorithmic Games, Physics Flaws, and Predictable Behavior
        1. Randomize Things a Bit
        2. Use Abstraction
        3. Limitations of Algorithmic Games
        4. Bots are Hard to Fight
      6. Speed, Twitch, Timing, and Pixel Precision
      7. Strong and Dominant Strategies and Deep Game Play
      8. Power of People: Rock-Paper-Scissors, Poker, and the World of Psychology
      9. Game Play Patterns: Combat Devolved
      10. Designing for the Medium
      11. References
    7. 18. Case Study: High-Score Security
      1. Cheating in High-Score Games
      2. Encryption, Digital Signatures, and Hash Functions
      3. Client-Server Option
      4. Randomly Seeded Client
      5. Alternative High-Score Strategies
      6. Puzzles, Skill-Based Games, and Other Deterministic Games
      7. Inappropriate Player Handles
      8. Summary
      9. References
  9. IV. Social Subversion: From Griefing to Gold Farming and Beyond with Game Service Attacks
    1. 19. Overview of Social Subversion
    2. 20. Competition, Tournaments, and Ranking Systems (and Their Abuse)
      1. Understanding Tournaments and Ranking Systems
      2. Lobby Attacks
        1. Tournament and Lobby Spiking
        2. Entry Spreading
        3. Rank Boosting and Busting
      3. Syndicates and Bots
      4. Tournament and Ladder Game Play Attacks
        1. Collusion
        2. Game Configuration
        3. Ghosting
      5. Abandonment: The “Game Over” Game
      6. Game Operator Problems
        1. Bias
        2. Insider Players/Shills
        3. Payment Abuse/Till Fraud/Rake Abuse
        4. Ultra-Violence/Action Hands
      7. Identity Problems
      8. Countermeasures
      9. Retrofitting Games for Tournaments and Skill Games
      10. Summary
      11. Resources
    3. 21. Griefing and Spam
      1. Communications Griefing and Spam
        1. In-Game, Community, and Customer Support
        2. Answers to the Griefing Problem
      2. Game Play Griefing
      3. User-Created Content
      4. Liability and Business Risk
        1. Obscenity
        2. Harassment
        3. Trademark and Copyright Infringement
      5. References
    4. 22. Game Commerce: Virtual Items, Real Money Transactions, Gold Farming, Escorting, and Power-Leveling
      1. Amusement Park Economics
      2. Alternative Models
      3. On Virtual Items
      4. Gold Farming
      5. Gold Frauders, Online Thieves, and Insiders
      6. Potential Solutions
      7. Power-Leveling
      8. Escort Services, Subletting, and Virtual Prostitution
      9. Summary
      10. References
    5. 23. To Ban or Not To Ban? Punishing Wayward Players
      1. Crime, Credibility, and Punishment
      2. The Cost of Punishment: Who’s Being Punished?
      3. Possible Punishments and Credible Deterrence
      4. Summary
      5. References
  10. V. The Real World
    1. 24. Welcome to the Real World
    2. 25. Insider Issues: Code Theft, Data Disclosure, and Fraud
      1. Code Theft and Other Data Disclosures
      2. Office IT Infrastructure
      3. Insider Fraud
      4. Playing Your Own Game
      5. Privileging and Isolation
      6. References
    3. 26. Partner Problems
      1. Contracting Security?
      2. Security Accountability in Third-Party Development
      3. Security Accountability in Third-Party Licensing
      4. Service Provider and Partner Security Issues
      5. Community and Fan Sites
      6. References
    4. 27. Money: Real Transactions, Real Risks
      1. Payment Processing
        1. Using Paypal
        2. Using Moneybookers
        3. Pre-Paid Cards/Game Codes
        4. Other Payment Methods
      2. Inside the Payment Process: PayPal
      3. Anti-Fraud
      4. Integration for Automation
      5. Payment Fraud
      6. References
    5. 28. More Money: Security, Technical, and Legal Issues
      1. PCI-DSS and Security
      2. Account Security, Virtual Items, and Real Money
      3. Money Laundering and Illegal Payments
      4. Money Laundering: Legal Issues
      5. References
    6. 29. Identity, Anonymity, and Privacy
      1. The State of Identity and Anonymity
      2. The Registration Problem and Identity Management Systems
      3. Age Verification
      4. Usage Controls and Game Addiction
      5. Account Compromise, Identity Theft, and Privacy
      6. Legal Requirements for Privacy Protection
        1. Legal Requirements in the US
        2. Legal Requirements for the EU
      7. References
    7. 30. Protecting Kids from Pedophiles, Stalkers, Cyberbullies, and Marketeers
      1. Dealing with Cyberbullies, Pedophiles, and Stalkers
      2. Kids’ Communications, Parental Controls, and Monitoring
      3. COPPA
      4. Children and Identity
      5. Child Pornography
      6. References
    8. 31. Dancing with Gambling: Skill Games, Contests, Promotions, and Gambling Again
      1. What Is Gambling and What Is Not
      2. Accidental Casinos
      3. Skill Games
      4. Miscellaneous Security Issues
        1. Game Service Scams
        2. Poker, Contest, and Skill Game Bots
        3. Live Play
      5. Legal Considerations
        1. Federal Laws and Regulations
        2. State Laws and Regulations
      6. References
    9. 32. Denial of Service, Disasters, Reliability, Availability, and Architecture
      1. What Can Go Wrong, Will Go Wrong
      2. Denial of Service
      3. Scalability and Availability
      4. Sample Game Operations Architecture
      5. Disasters and Disaster Recovery
      6. Contingency Planning
      7. References
    10. 33. Scams and Law Enforcement
      1. Scams in Games
      2. Game Scams
      3. Law Enforcement
      4. Facilities Requirements: Potential Unexpected Laws and Regulations
      5. References
    11. 34. Operations, Incidents, and Incident Response
      1. Secure Operations
      2. Active Measures
      3. Incidents and Incident Response
      4. Public Relations and the Perception of Security
      5. References
    12. 35. Terrorists
      1. Virtual Terrorism
      2. Online Tools for the Modern Terrorist
      3. References
    13. 36. Practical Protection
      1. “We Have Met the Enemy and He Is Us”
      2. The Business of Game Protection
        1. Global Industry Challenges
        2. Security Beyond Technology
        3. Who’s the Boss?
      3. In Closing
      4. References
  11. A. Selected Game Security Incidents
    1. The Gathering Storm
  12. B. Glossary