The State of Security in MMORPGs 288
Anonymous writes "Security researchers Greg Hoglund and Gary McGraw poked around in World of Warcraft and other online games, finding vulnerabilities and exploiting the system using online bots and rootkit-like techniques to evade detection. Their adventures in online game security became fodder for the book,
Exploiting Online Games. McGraw
discussed with securityfocus the state of security in modern video games, cheating and anti-cheating systems, how the market for cheats, exploits, and digital objects is growing, what we could learn from the design of these huge systems, and how game developers react to submissions of security vulnerabilities."
Just ask regular players.... (Score:4, Informative)
Most are regular hack fests.
Ultima Online: Scripting in the number one player complaint, but EA doesn't give a rats ass, they never ban, despide their TOS saying otherwise. Other cheats include ways to make players drop items, and using bots to monitor certain parts of the game for the sole purpose of knowing exactly when to raid, and then there is all the speed hacking (EG movement hacks) that goes on.
Lineage II: I played for 6 months, and never met another player, just about 4000 different bots.
LOTRO: Besides the game missing something, it had its share of bots.
WoW: I get spammed with cheat site URL's every time I login, regardless of realm.
Of all the above WoW seems to have it the most under control, but that doesn't mean they don't have room to improve.
Cheating is so rampant in Ultima Online anymore, that the fricken game isn't worth logging into.
Re:My personal feelings.. (Score:5, Informative)
The article touched on game dev reactions to bug reports. I've seen negative reactions to bug reports myself. In one game I was a developer for, I once did a security audit of the code and was appalled at what I found. With almost no effort, I was able to craft an in-game exploit that would wipe the hard drive of every user logged into the game who tried to bring up a URL. I had to push and push to get it fixed. Almost any bug that was security related, they didn't want to address; they were much more afraid of introducing gameplay bugs that might come as a side effect to fixing security bugs, and more afraid of having the schedule slip. Almost none of the strings in the game were checked for length or null termination when operations were done on them. It really disturbed me (and also reinforced to me why game code shouldn't be written in C; at least use C++, people...)
Re:Just ask regular players.... (Score:1, Informative)
However, the AH prices for those items that can be sold and bought are pretty screwed up. Anything that's worth buying has seriously inflated prices while everything else doesn't sell at all (random greens sell for slightly above the vendor price due to enchanters leveling their skill, but that's about it). Of course most of those things are achievable without cheating - just by spending lots and lots of time online with enough characters...
Another problem is that leveling a new character on a realm where you don't have higher level characters requires you to choose a class that isn't too gear-dependent, since any gear worth having will be very difficult to get - since most similar level chars are twinks...that has nothing to do with cheating, but the item price inflation problem is very much related.
Re:Not just the game... (Score:3, Informative)
SE is dropping the ball in this area though, I know a few people that got screwed and lost their accounts like this.
Re:Cheating in online games (Score:2, Informative)
What really made things bad though was Macroquest II. Even though this required to be recompiled with every new patch, this is what made many of the exploits possible. Even SOE knew how rampant its use was but they would not go after people using MQ for its passive features (ie maps, targeting, healbot macros, etc) but people using it for the active exploiting (ie teleporting, attacking any mob in a zone from the zone line, etc).
Re:From a mainstream publisher (Score:3, Informative)
Essentially, rather than validating data on their servers, they're pushing an application to the clients to report any process they feel is inappropriate. I personally felt Warden was inappropriate, and never allowed it to run.
Re:My personal feelings.. (Score:3, Informative)
Anyone writing Massive servers in Java (or C#) should be billed the full ongoing costs of the extra iron that they require. Quite apart from the inherent overheads of VMs, those languages automagically spawn threads for network activity, rather than allowing you to perform non-blocking access from a smaller thread pool. They simply don't scale up well. A few dozen players, fine, hundreds, OK, but you hit the thousands and you're spending a significant amount of your cycles just thrashing between threads.
Java and C# people will likely deny it, but then they were always pretty big on cognitive dissonance.