Massively multiplayer online role playing games (MMORPGs), such as World of Warcraft, have millions of subscribers interacting online, which makes security tricky business.
Security researchers Greg Hoglund and Gary McGraw poked around in World of Warcraft and other online games, finding vulnerabilities and exploiting the system using online bots and rootkit-like techniques to evade detection. Their adventures in online game security became fodder for the book, Exploiting Online Games.
SecurityFocus contributor Federico Biancuzzi tracked down McGraw to learn more about the state of security in modern video games, asking about cheating and anti-cheating systems, how the market for cheats, exploits, and digital objects is growing, what we could learn from the design of these huge systems, and how game developers react to submissions of security vulnerabilities.
SecurityFocus: Could you introduce yourself?
Gary McGraw: I am the chief technology officer of Cigital and a software security expert. I've been working in computer security since 1995 when I got my Ph.D. from Indiana University. I got started thinking about programming languages and security when Java came out. I wrote the book Java Security (Wiley 1996) with Ed Felten from Princeton.
Soon after that I became very interested in knowing why it was that amazingly good architects, developers, and languages people (such as the inventors of Java) were in the dark when it came to security. Looking around, it became clear that there was not much work published about software security, so I wrote Building Secure Software with John Viega in 2000.
That book touched off a paradigm shift in computer security. Since then I've published a number of books helping to steer that field's evolution, including Exploiting Software (with Greg Hoglund) and Software Security.
As you might imagine, my new book Exploiting Online Games has plenty to say about software security. From my perspective as a scientist the most interesting thing about online game security is that the kinds of problems and issues we describe and discuss in the book are a harbinger of software security issues to come as the world embraces service-oriented architecture (SOA) and Web 2.0 designs.
How did you get interested in online games?
Greg Hoglund, my co-author, conned me into it. Greg had been working in online game security for several years before we started collaborating on the book. He gave an advanced talk about cheating in online games in 2006 at Black Hat, describing rootkit-based techniques that thwart detection. Once Greg showed me what he was doing, it was clear that there was plenty to write about. The topic is incredibly cool because it involves the intersection of the law, money, and technology.
The more I dug into online game security, the more interesting things became. There are multiple threads intersecting in our book: hackers who cheat in online games and are not detected can make tons of money selling virtual items in the middle market; the law says next to nothing about cheating in online games, so doing so is really not illegal; the kinds of technological attacks and exploits that hackers are using to cheat in online games are an interesting bellwether; software is evolving to look very much like massively distributed online games look today with thick clients and myriad time and state related security problems. The book has a chapter on the law, a chapter on money, and lots of explicit discussion of very interesting software security problems. It's also a no-holds-barred, hands-on kind of book with lots of code and ideas you can sink your teeth into.