The State of Security in MMORPGs

Anonymous writes "Security researchers Greg Hoglund and Gary McGraw poked around in World of Warcraft and other online games, finding vulnerabilities and exploiting the system using online bots and rootkit-like techniques to evade detection. Their adventures in online game security became fodder for the book, Exploiting Online Games. McGraw discussed with securityfocus the state of security in modern video games, cheating and anti-cheating systems, how the market for cheats, exploits, and digital objects is growing, what we could learn from the design of these huge systems, and how game developers react to submissions of security vulnerabilities."

Game is realistic

[Anonymous Coward]

When in a MMO game you can exploit rules and get an easy way in life of your caracter (evolving) its like some people exploiting laws for profit to get an easy way of life.

When in a MMO that person gets banned its like people who get caught in real life.

The more tight the rules/law the harder to exploit them. But making a full proof rule/law system? We dont even have that in real life!!

My personal feelings..

[faloi]

The market for cheats and exploits is so large primarily because of the "make it a grind!" trap that most MMORPGs fall into. If you're into a MMORPG, and you "need" cash for a certain item, or to recoup your costs for the last big raid, or what have you, you seem to get one of two choices. You can grind away whatever playtime you have in order to get the cash legitimately, you can buy it from someone that is grinding away (or perhaps using exploits), or you can turn to exploits/hacks/whatever yourself.

I understand that some percentage of the playing population is going to cheat, hack, or use an exploit simply because they can. But if game design didn't make it so attractive to so many people to reap the rewards that go along with it, it would be a pretty minor problem. In my opinion, as soon as you're killing the 3,000th slightly different textured mob for his toe...or running a dungeon you could do in your sleep just to make sure a fellow guild members armor is a little bit different color so you have a shot at the next dungeon, MMORPGs start losing some of their fun. I don't know of too many people that really enjoy running things that are on "farm" status, but there's a necessity to grind it out built into the games.

I know it keeps people hooked longer, but it also keeps the temptation to play...creatively...in people's mind.

Most game companies don't care

[Saffaya]

They don't care if their games are rotten with farmers and trading of game assets/currency.

All they will do is buy external software like GameGard, whose primary function is to hob resources of the customer's PC and make it less stable.

Thus, the low-end PHB will be able to claim to his boss he is actively fighting the problem, with GameGard's monthly invoice in hand for proof.

Meanwhile the players will lament about the enormous parasitic-like farmer population, detrimental to the game itself, and in plain view of anyone who actually logs in the game.

Exploits and WOW.

[Shivetya]

Well after reading the article, following links, and such its obvious the biggest thing they exploited with WOW during the course of writing and selling their book is the name. In other words, unless they had referenced WOW their book would be relegated to the dust bins of book sellers.

These two seem hell bent on FUD with Blizzard in regards to Warden. I haven't connected the dots but it appears these are either the same people who flew off the handle when Warden changed or are in the same group. Basically take something and use choice wording and catch phrases to imply sinister behaviour where none really exists. IOW - 911 conspiracy hacks read from the same play book. These guys just seem to be on some damn fool crusade against Warden that it borders on silly. The very same people probably don't blink when it comes to handing over their CC/Debit card to someone behind the counter freak out over a company that actually has to take steps to protect the data the players voluntarily entered when subscribing!

As for WOW itself, location hacks exist as the client and server are not always in synch for these actions. The biggest impact "cheaters" have on WOW is on the non-cheating players. Money transfers between accounts take an hour to complete, sales via the auction house are no longer immediate but instead take an hour, and trial accounts are so restricted that teaching someone to play with one is an exercise in frustration.

Paradigm Shift

[cheesethegreat]

The only way that online games are going to have a chance at getting away from these issues is with the implementation of skill-based advancement instead of advancement based on accumulated experience/gold. As it stands, a high-level player in many online games doesn't need to have learned any particular skill themselves, but a simple accumulation of wealth via goldsellers to buy high-quality equipment and mindless hack-n-slash, combined with good macros, and they can usually come out on top.

Contrast this approach with what's seen in something like Jumpgate, where players have to actually develop their skill as a pilot in order to be successful in combat. I'd expect that gold-buying in that game is significantly lower per-capita than in your standard grind games like WoW or LotRO.

When we pray for the end of goldselling, what we're really hoping for is the beginning of an era where non-transferable capital (the skill you develop from playing the game) becomes the dominant factor in advancement.

Re:My personal feelings..

[ilikepi314]

Well what if you could easily and legitimately earn all of that money? Then either (a) everyone would have the same ultra expensive weapons, and so it would be boring anyway, driving some of them to use cheats/hacks/exploits to get better stuff than available, or (b) the game keeps creating better and better stuff for sale that gets more and more expensive and people still use cheats/hacks/exploits to be able to say "I got that item first!".

To me, MMORPGs have little to do with following a great story; it's mostly about bragging rights with your friends. (Not that everyone feels this way, but I've met enough to realize its a "Look what I can do!" mentality among most of the people that use game exploits.)

And when bragging rights are involved, people will go to extremes to prove they are better than everyone else. You make it easier for new players to get lots of money, then these other guys will say that's for newbies and hack something else to prove their superiority. I doubt any game constructs will change human nature overnight.

Look, that's the *idea*, people

[DNS-and-BIND]

The whole idea behind online games is twofold: 1) get the reward: better items and more money, and 2) accomplish objective 1 with as little effort as possible. The whole "solve problems creatively" idea is bunk, and besides if anyone actually did provide problems like that, you'd just search online for the answer anyhow. Everybody likes to be ahead of the game, and nobody wants to plod along the old-fashioned way. A sense that you're better than everyone else is expected, and even essential (and not just in video games).

Online games (and any game in which you accumulate posessions) are just variations on a Skinner box. Put a gamer in a box, have him peck away at moving about the world, and give him possessions randomly. It's the same sort of thing that makes people sit in front of slot machines for hours. If they *did* make a hackproof game, only a few people would play it and it would fail financially.

Re:Paradigm Shift

[mapsjanhere]

I don't know if you've ever played in the end game of a MMORPG - but skill is everything. Your fellow players at the highest level know immediately if you're a phony on a bought or borrowed account. Even if you have the skill with one of your classes, most likely we will know when you're on another toon, simply because it's not up to the standards. It's the fraction of a second your spells are late, the way you miss on hits by bad positioning, the choice of buffs you dole out. You can buy all the gold you want (or all the characters) from the commercial players, but you won't get anywhere at the end. At a level where 50 people have to give 99% of their ability to beat an encounter your lack of skill, even in a grind based game, will stick out like a sore thumb.

Re:My personal feelings..

[sholden]

The grind is the game in a MMORPG.

RPGs are about 2 things: story, and building the power level of a character to meet some challenge.

As soon as you add the MMO part the story has to give a bit (there's not just one player (or just one small group) so the player can't be the "chosen one, saviour of the universe" and the game is long term so story is expensive to keep adding to.

The challenge part also suffers, since there is no end. In a traditional CRPG at some point you win the game. The big evil is defeated by your powered up character and the game is over. The MMO part means that never happens, on and on it goes with the power cap getting raised every so often so that there's more grinding to do.

And of course people cheat in single player games, there's even more incentive in a multiplayer game...

Re:My personal feelings..

[brkello]

Eh, this is the same tired point that is pulled out every time there is an article about MMORPGs. "Oh, it's the grind that drives people to cheat...if their were only good designers in the world that could make MMORPGs without grinds." The thing is, the best designers in the world are working on these games. People, in fact, play these games because of the grind. They put effort in to something and then they get a reward. This is the same in real life, except the results take much longer before they occur (or may not occur at all). Take any other game and you see it follows the same model in a different form. Geometry Wars you grind until you beat your next high score. Guitar Hero you grind on a song until you can get 5 stars. Etc. etc.

If you play any game long enough, you are going to get tired of it and want to play another game. That is just being normal.

As far as cheating goes, some will do it for the challenge. Most of the others will just do it because they want to be better than their friends. It is a competition. It's a dumb place to want to be recognized...but people do it. If people hated the game, they just wouldn't play it anymore. They love the game, they just want an edge over others and will do whatever they can to get there faster. The grind is in everything...just it is just popular to bash it in here since people on here like to bash what other people enjoy instead of actually coming up with anything better.

Economics

[DJ_Adequate]

That, I think, is my biggest complaint. Properly designed economies would go a long way to reduce the incentive to cheat. But WOWs economy, especially lately, is spectacularly broken. Most raw materials are worth more than anything you can craft out of them. Low-level items are either useless and impossible to sell, or--if useful--people with high level alts have priced them at a range no new-user can ever afford. I would suggest MMORPG designers spend less time on the technical aspect of the cheats, more time on the internal game economics that motivate them. And no, it's not really the grinding. Just the economy. Raw materials + labor should always have greater value than the raw materials alone, for example.

Re:My personal feelings..

[hitmark]

and therefor i go check the micropayment and free to play games listed at:
www.mmorpg.com ;)

Re:Cheating in online games

[dc29A]

The program you think of was ShowEQ. Also, this was a direct result of retarded game design by Sony where by one dragon can only be killed by one group of people per week, unlike the current crop of MMOGs where everything is instanced and this is no longer a problem.

Just the way ShowEQ was a direct result of game design flaws in EverQuest, the same way leveling bots are for other games or ingame currency selling for real life money and whatnot. Game design flaws will result in hacks, bots and currency trading.

Re:Look, that's the *idea*, people

[murdocj]

The whole idea behind online games is twofold: 1) get the reward: better items and more money, and 2) accomplish objective 1 with as little effort as possible.

The rewards are nice. But that's not why I play. I play WoW for the same reason I play any game, to have fun. If I'm not having fun *while I'm playing* it's not worth it, no matter what the reward is. As an example, I do some player vs player combat in one of the zones (Halaa) when the chance comes up. You get tokens for doing this that you can use to buy gear. Well, I've looked at the gear and it's not interesting to me. I do the combat because I enjoy it, NOT because I can grind away and get some uber loot someday.

Re:My personal feelings..

[NeutronCowboy]

People rely on the "grinding" aspect because it's the easiest to develop and balance properly.

Actually, I think there's a more insidious reason people rely on the grinding aspect: it allows developers to create the strongest reward mechanism; one that leads to behavior most closely related to addiction: random rewards at random intervals. It's convenient that it is the easiest to implement, but one reason we haven't progressed past it (and, in the case of Ultima, regressed to it) is that it is the single best way to keep players coming back for more.

Sorry for digressing, but that's the one thing that bugs me about most MMOs right now: they are designed as a massive grind fest.

Re:Paradigm Shift

[Teancum]

One of the things that you miss here is the fact that many role-playing games (I'm including pencil and dice games here as well as stand-alone video games and MMORPGs) try to give you the simulation of being something which you decidedly are not. You may be a pencil-necked geek with a host of allergies (or in my case an over weight middle-aged software engineer), but you get into the games so that you can live out some sort of fantasy of being something you are not right now.

So the "skills" you acquire are something not entirely related to the activity you are doing "in game".

Still, the comment of a previous poster to your comment here is very appropriate: If you "cheated" your way into gaining a certain position/in game skill level by virtue of a gold farmer or some other hack, you really don't understand all of the subtle methods of using all of the options at your disposal. You certainly won't be able to take on even NPC monsters that would easily be defeated by somebody at your current "in-game" skill level. At the same time, even in a "grind" game (or even more so in those kind of games), you can take somebody with considerable experience in the game and see them excel at achieving in-game ranking even with a brand new character due to their advanced knowledge of techniques used to play the game, including knowledge of various locations and when to fall back and try again some other time.

Heck, I have actually enjoyed starting out all over again from scratch on a few occasions, just to get a little bit of a challenge back into the game. But I level up oh so much faster than my contemporaries who created brand new accounts with me that they just look puzzled when I walk by a couple of days later being twice or three times their "level". In game experience does matter, and it translates across in a whole bunch of ways.

Your suggestion that player rankings (combat levels are just another way for players to compare each other) bring about a desire to push their ranking up with real-world cash is certainly something worth mentioning. But in the long run those are artificially inflated rankings anyway. It doesn't deal with the other problems associated with real-world item trading, and IMHO there will always be those who try to find ways to "cheat" the system with cash. That can be through a faster network connection, better computer/graphics card, cheat program that let's you get an attack in 1/2 second earlier, or whatever means you can think of. This has always been the case, even for games like Doom and Quake that didn't even really have levels to compare against. And I knew people who did "cheat" at Quake and were proud of it.

Re:My personal feelings..

[spun]

I know they are, but the quests I've seen are hard wired, and that is what I'm suggesting they change. Write generic quests that can be activated at various points, filling in the blanks with relevant details at the time of activation. Everyone gets a different quest.

Also, with more sim elements in MMORPGs, there could easily be real impact on the game world. Not every quest has to be epic, some could result in minor changes, such as new shops opening up, new cities being founded, factions gaining or losing support, and so forth.

Re:My personal feelings..

[randomaxe]

Geometry Wars you grind until you beat your next high score. Guitar Hero you grind on a song until you can get 5 stars. Etc. etc.

The difference here is that this isn't "grinding", this is practice.

If you play a song over and over in Guitar Hero, you get better at it, which eventually allows you to get five stars. You, the player actually get better at the game. In most MMORPGS, however, grinding is mere repitition, doing something over and over and over for experience points (or something similar), to improve the game character. The player is no better at the game, the game character is merely powered up.

Ultimately, these things differ in that the former affects the real world and the latter only affects the game world; if I play a song enough to get five stars in Guitar Hero, I can likely go to someone else's house and five-star it there, too. If I delete my character in an MMORPG, I forever lose all of the progress that was made, and getting a new character back to my old character's level requires going through all of that grinding all over again. While I may have figured out some easy ways to gain experience, I am still no better at the game itself. And really, I don't have to do anything challenging in the course of my grinding, because there is always some simple task (easy battles, for example) that can simply be done over and over to accrue easy experience.

To this extent, Guitar Hero (and Geometry Wars, and most non-RPGs, really) is no more a "grind" than any other skill-based activity that you do in the real world. Is writing code "grinding"? What about painting? Soldering? Singing? Playing cards? Cooking? Sex?

Re:Interview with Sony Online Entertainment CEO

[Anonymous Coward]

I think the issue of farming is higher on the radar now than it ever has been. The behinds the scenes things are really frustration. A lot of these farmers are essentially stealing from us. What they do is they charge us back all the time. They use a credit card -sometimes stolen, sometimes not - to buy an account key. They use the account for a month, and then they call the credit card company and charge it back. We have suffered nearly a million dollars just in fines over the past six months; it's getting extremely expensive for us. What's happening is that when they do this all the time, the credit card companies come back to us and say "You have a higher than normal chargeback rate, therefore we'll charge you fines on top of that."

Boo hoo. This is a business opportunity staring you right in the face and you whine about it like a little bitch? Try this:

1. Sell the game's boxed set with a game card that includes playtime, enough to cover any chargebacks and chargeback fees for a single month. (Basically, pay for 2 months, get 1 month, hide the fee in the price of the boxed set.)
2. If the first card payment isn't charged back, give the player a "Free Month" (that they already paid for in the price of the boxed set) for being such a "valuable member" of our "online community".
3. Profit like hell, knowing that chargeback thieves have already paid their dues at retail, and legitimate customers are happy you've "rewarded" them.

Anybody with a business degree that can't figure this out doesn't deserve to be a CEO. This lack of business leadership may also explain why Star Wars Galaxies tanked into nothing.

Tale of a WoW botter

[Anonymous Coward]

MMO's strike at the heart of the American lifestyle - the struggle to be #1. This isn't Mario where at best you beat the game in 20 minutes and put a video on youtube. You build up a character to become supreme then show it off.

Problem is the path to superiority in MMO's isn't done through skill, but rather time invested. Bots are not good players, but are good at investing time.

When MMO's hit mainstream that reward skill before time, then the bots will dissapear.

Re:Economics

[_Sprocket_]

But WOWs economy, especially lately, is spectacularly broken. Most raw materials are worth more than anything you can craft out of them. Low-level items are either useless and impossible to sell, or--if useful--people with high level alts have priced them at a range no new-user can ever afford. ...

Raw materials + labor should always have greater value than the raw materials alone, for example.

Economy is a funny thing. The value of something isn't always straight forward.

Raw materials have more value because well-funded individuals need them to grind up their crafting skill not because they need the actual items the raw materials are being used to create. The end products don't sell well because there's too much supply for the demand - not because they're necessarily useless. You can tell this is the case because non-crafted low level items (that can't be mass produced like crafted items) will fetch premium prices if they have the right stats - as you noted.

This isn't a flaw in the various economies of WoW worlds. It is just how economies work. And the fact that a lot of people are interacting in these economies without paying much attention to what's going on.

Crafting is a great example of this. My advice to all new players is to NOT get in to crafting. Pick two gathering professions (or a profession like enchanting that gives you something akin to gathering - disenchanting items in to raw components - but ignore the crafting aspect). Spend all your up-and-coming levels selling or trading in raw supplies (either in the AH, suppling mats to crafters to make you items you want and giving the crafter a "free" skill point, or being the go-to guy for your guild's supply needs). Once you're high leveled and established, THEN it's time to decide on whether you really need to craft items. If so, you can better afford it (and you can give a financial leg-up to all the other gatherers feeding the market like you did). If not, you've saved yourself from the expense of training for a skill that's probably well represented in an already over-crowded market.

Re:My personal feelings..

[_Sprocket_]

If it's the "grind" that makes people cheat I wonder how they explain, Counterstrike, UT, etc...

Oddly enough, one common excuse for that ilk of cheater is that they have "a life" and can't spend all their time playing Counterstrike, UT, etc. Essentially they're talking about a different kind of grind - developing the skill to playing the game. Yet skill is what the "flawed grinding mechanism" meme folks seem to call for.

It seems to me what we're really dealing with is a demand for instant satisfaction. And not just any form of satisfaction; it's got to be "I'm better than everyone else" flavored. But instant. With marshmellows.

Now this is a good interview

[angus_rg]

"Do the security features in Windows Vista -- such as limits on HD playback and signed drivers -- help in fighting cheaters?".

I'm glad I'll be able to use my modded character over an HDMI cable, and I can install a 3rd party device without a signed driver to get around this.

Who thinks up these questions?

Can the players handle it?

[SmallFurryCreature]

Download the free trial for Lotro, create a character and head to Bree. There is a quest there that starts at night, from a ghost near the southern gate, he asks you to find a ring that was lost at some baracks. Yet you don't recall any baracks even being at bree. It is suggested you ask around.

Want to guess how many people INSTANTLY upon receiving that quest ask where to find this ring? 10%? 20%? I once just parked myself for an hour at night time near that ghost, just to see how many people that came near him would next ask the question. 8 people. 6 asked in public chat, the others might very well have done the quest before or asked in private chat.

People don't want to explore.

SWG had a little exploration and most people never bothered with it until the path to Jedi required it.

On the way back from Dol Dinen to Esteldin you come across a wounded ranger, if you approach he warns of a trap and you are ambushed by 3 earthkins, fairly though critters. It isn't a quest, just a bit of color for the game. Again a bit of social experimentiation quickly showed me that most players had NEVER heard of this, quests are shown with a ring, there was no ring so people didn't explore to see what it was all about because no XP means a wast of time.

It is depressing, but I sadly think that the market has spoken and the market has said, we want more WoW, please don't make us think or give us choices. Lead us by the hand and give us our XP and levels.

And to be fair, I am not sure I entirely disagree. There is a fine line between an open-ended free form quest and sending a player out there without a clue. I remember a east european game, SS (not sure about the name, tactical turnbased squadgame in 3D enviroment that was totally destructable), it had quests/missions where on higher difficulties you weren't told what to do. You just appeared on a map and good luck finding out what your objectives were. A challenge or wasting my time?

Like many a MMO player I have thought long and hard about how you could make a better game, but I keep hitting the same old problem, can the user handle it and sadly the answer is no. If you wants millions of subscribers you got to accept that you are developing for an average IQ well below 100. Retards. Lazy retards. Lazy dyslexic retards.

Go on, come with an idea for a quest or game mechanism and then ask yourselve, how will a user who refuses to read or look at his interface deal with it. One of the biggest challenges in the endgame of MMO's comes not from the game itself, but in finding a group of people that after months of play actually managed to get a clue. It sounds amazing but as a raid leader you would be suprised how many times you get a newbie who must be playing on someones elses account because with their skill they should have died at the loading screen.