Is there any suggestion you could make to the users of these games? For example, running the games in a virtualized environment?

Absolutely! We have a checklist in the book, for things that all gamers can do to be more secure. You can find the 14 point checklist in chapter 10. One of the things on the list is: Make sure you're comfortable with any spyware the game installed to monitor your PC during gaming sessions.

Another is: Do not run the game as administrator or root.

Beyond cheating, did you see any attempt to break into your system?

So far, malicious hackers have not directly targeted game clients running on other peoples' machines for exploit. Nor have malicious code writers written viruses or worms to go after game clients. It's only a matter of time, though.

Some Trojan Web sites have done what they can do to collect gamers' authentication information so they can loot their characters (and) accounts. In Brazil, a criminal gang even kidnapped a star MMORPG player in order to take away his character, and its associated virtual wealth.

The really interesting thing about online game security is that the attackers are in most cases after software running on their own machine, not software running on somebody else's box. That's a real change. Interestingly, the laws we have developed in computer security don't have much to say about cheating in a game or hacking software on your own PC.

I am not sure if there is a big approval of the full-disclosure culture in the gaming world (considering some "discussions" happened with researchers like Luigi Auriemma)or reported bugs that are not fixed at all. From your experience, how do game developers react to submissions of security vulnerabilities?

I am not sure either. From the experiences of my co-author Greg Hoglund, when it came to outing the Warden (the anti-cheating spyware installed by Blizzard to monitor World of Warcraft), it seems apparent that the idea of full disclosure and working with security researchers is not something game manufacturers are used to. Game developers seem to inhabit their own little world.

By and large the people who are looking for exploits in games are less interested in making a name for themselves (by, say, publishing an exploit) and more interested in making money. There are multiple ways to make money given a bug in a game, from cheating for yourself and your own character, to selling the exploit to others. The upshot is that market dynamics in game security are different. It's funny because an open market for non-game exploits is nascent, with the auction site WabiSabiLabi apparently leading the way. Online game exploits already have a mature market with real demand and a clear path to making money.

Blackhats can earn real money through online games exploits, but what about whitehats? For example, with "business" software, whitehats can use their knowledge of new bugs to protect their clients, so I see a good reason for both sides to do bug hunting. But what interest should whitehats have in spotting bugs in games?

The most interesting whitehats do more than just hunt bugs! They do things like teach developers how to do a better job with software security. Of course, just as in other software disciplines, some number of bugs exist in current systems and they need to be uncovered and removed. There is no reason that whitehats can't join game companies in that effort.

To date, I don't believe online game security has grappled with the software security problem the way it should. I'm confident that our book will change that. We've already been contacted by a number of game companies interested in doing a better job with software security.

As a discipline, software security is fairly young. We've made great progress in the last decade and I am looking forward to more. Online games make an ideal case study for software security because they show what we should expect when the next generation of software hits desktops.