White Hat Hackers?

Posted: September 25, 2007 by zobek in General Game Concepts, Interesting, The Gaming Industry

I was browsing the shelves of my local Barnes & Noble the other day when I came upon this:

Cover of Exploiting Online Games

(Full details at bn.com, opens in a new window)

Yes, your eyes aren’t fooling you. That’s the cover of a book titled “Exploiting Online Games: Cheating Massively Distributed Systems”. Perhaps you’ve heard of it already, though perhaps not. It was published in July of this year as part of the Addison-Wesley Software Security Series, but as far as I can tell, received very little coverage apart from mentions on a few security blogs. The only gaming coverage I could find at all was a review at Ten Ton Hammer.

Now, I’m one of the first to advocate transparency when it comes to security issues. I agree that make knowledge of vulnerabilities known is a good thing. I even agree with the philosophy of white hat hackers who find system flaws in order to make improvements.

Even so, I’m not sure how I feel about a book such as this.

The thing is, this book seems to go a step beyond just discussing security flaws.

I took a little time to peruse its pages, to see exactly what it contained… never judge a book by its cover, right? The content within is presented as a veritable ‘how-to’ for identifying weaknesses in the massively complex systems of game servers. There are even code samples provided for taking advantage of these vulnerabilities… and not just snippets, either. Practically complete code is provided, almost ready for the average script-kiddie to run, save for the fact that memory addresses are blocked out.

Even so, the book provides enough information that a reasonably skilled person would be able to find the information using the tools described and searching online.

There’s even sections on how to build a bot to run the game for you.

I’m concerned about the impact that content like this can have on the MMO gaming community. By and large, in order to find out information like this in the past, you either had to have technical training in software/game development, know where and what to search for on the Internet, or at the very least have someone who could “hook you up.”

Now, anyone who can browse a store shelf has access to the same information, quite possibly leading them to discover – and take advantage of – the next big exploit, when they wouldn’t have had a clue before.

Maybe I’m just being cynical and jaded. I want to hope that people will use the gained knowledge responsibly and with discretion, but there’s truth in the saying that it only takes one bad apple to ruin the whole barrel, too.

What do you think? Am I overreacting? Is the book sensationalist? Or does it cover a topic that you feel has been woefully underrepresented in the press? If you’ve got a copy yourself, we’d especially love to hear from you.

  1. i’ll play the bad guy here and say that i think this is a good book and a good lesson. as an indie game developer, this topic stays close to heart as i obviously am drastically affected by exploits and hackers. having said that, i believe EVERY possibly way to exploit a game should be posted and known publicly. i believe this for one main reason: with knowledge, comes change. if everyone knows certain ways typical games can be exploited, it forces us as developes to build the code the way it should have been built to begin with.

    although all the TOCs and EULAs for our MMOG projects include (or will include) legal action against exploiters to the tone of banning at the least, i am not one who likes having that policy. if i build a game and it is exploitable, then i want people to find them and force me to fix it. if no hackers ever existed, where would security be now?

  2. Illuminator says:

    Although developers add their own twist from product to product, basic game structure, behavior, and network communication fundamentals are shared. Exposing even fixed bugs is stupidity because it teaches people to recognize hacking patterns and encourages some to use this learning to figure out their own. Security through obscurity should never be the final defense but it makes one hell of a fantastic front line defense.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s