« Terra Nova Welcomes Dmitri Williams | Main | One Careful Owner »

Jan 20, 2005



Games really have to get out of the bad habit of only running nicely in admin accounts. At some point I expect Microsoft will strongly encourage users to run as a limited user, probably through a future version of Windows. Right now I suspect the majority of users are running as full admin, and that's putting them at some risk.

What does this mean for virtual worlds? It means the clients shouldn't write anything into c:\program files unless necessary - there are other places to put this kind of data, and well documented. So when it comes time to download a patch, the patcher UI is going to need to prompt the user for admin details or similar so it can run temporarily as that user. Or say 'log on as admin please'. The issue with writing data into program files is that an attacker could replace code with his own, and when that code was run under an administrative context, the attacker's code would get those rights.

None of this stuff ought to be new, it's been in the Windows Logo program guidelines for about 10 years.

Microsoft's program manager for Security has a few interesting videos over at their http://channel9.msdn.com/ShowPost.aspx?PostID=14792>channel nine site


This is becoming more of an issue as extensible clients become more common. Although SWG's macros don't contain the ability to execute arbitrary code, it's entirely possible that there's a buffer over-run hole or something similar in there. AC1's Decal (which was entirely third-party) system is wide open to exploitation, and there are probably some potential "gotcha's" in WoW's client extensions. Tribes 1 and 2 had *very* extensible clients (script writers had access to nearly everything the original UI programmers built), including the ability to run outside DLL and executables.

There are a lot of plusses to extensible clients (leveraging the userbase to throw many thousands of programmer hours at the UI, specialized UI's that it wouldn't be cost-effective to implement in-house, side-tracking the hacking urge into something constructive). But there are going to be some very big messes while we figure out how to handle the process.

What I would like to see (and eventually expect) would be a "Authorized Extension" system, where the client and servers contained management for UI extensions that had been approved. You could run any UI extension you wanted if you were writing it yourself, in a protected memory space with lots of debugging and security hooks (which would slow the code down considerably). For a fee, you could submit your extension for review by the game operator, who would examine it to see if it was well-behaved, original, and well enough documented to be supportable, then make it available to players on a micropayments plan (add 25 cents to a dollar to your monthly fee for that month if we're talking a one-time fee, pennies to nickels if we're talking monthly renewal), remitting most of the micropayment to the author and keeping the rest to defray support costs. If an extension costs more to support than it makes in micropayments, it gets pulled or a surcharge is added. Possibly the agreement with the author would require them to provide support (if you are getting a nickel a month from 20K players, a few hours a week supporting it is a reasonable exchange). I like that better, actually, not only does it move the cost off my books, it gives the creators incentive to fix their bugs and provide good built-in help.

People could still bypass your authorized system by running scripts they had downloaded in debug mode, but a few strategically placed nag screens about the unreliability and dangers of unauthorized extensions (ala Microsoft's "Signed Drivers" program) and a couple of inevitable trojan incidents would keep that to a minimum. Players get better UI's, operators get happier customers, an independant workforce they don't have to pay, and more money, and extension authors get paid without the hassles and freeloading of your typical shareware situation.

There's some liability concerns there, which a good lawyer would have to look at and write the agreements for. And I'm not sure what labor laws would say about the status of the extension authors.



I have alot of different feelings on this. I'll sum it down to this though. If NCI (NC Soft NA) is representative of the industry. Then MMOs are vastly unprepared to one day wake up and be told that their customers are exposed to a critical vulnerability.

And I mean that at all levels and at all faucets. There appear to be no channels to deal with receiving an exploit. There are no channels to fix it. There are no channels to talk about it. When an exploit becomes known the company line needs to end and the Human being needs to surface. You should feel a civic and moral duty to protect your customers. I *do not* see that level of maturity.

It continues onto into the technical domain. It would appear that the coding process is not taking the pains to see security as a goal. Compatibility issues with security features (like non-Admin accounts). No review of the security of your own code. And it would appear that when you partner with a third party company you take just take them at their word. A handshake and contract is obviously good enough to mean you'll never have a security issue.

That's not just unprepared, that's negligent.

This doesn't even delve into the customers feelings. They will not be happy about such things. There will have privacy concerns, autonomy conerns, efficacy concerns, and technical concerns. No one likes being considered a criminal in their own home.

Is the curse worse than the disease? It certainly is for the customer when the service chooses to be dysfunctional.


From Jan 6th, The Sims 2 'viral spreading' of unwanted sim behavior through EA's SimExchange:


Two thoughts:

1) If the hardware is not under your physical control, absolute security is impossible - there *will* be breaches. The question is, how hard can you make these breaches to achieve?

Which segues nicely into

2) the support you get from the OS. As long as our virtual worlds run on a "Hackers Paradise" OS (yes, Microsoft, that means you!), the manufacturers of those worlds are almost forced to take excessive precautions. Most of the things that the NProtect offers should be offered by the operating system - a clear separation of processes is mandatory for security, and windows is sorely lacking in that department. Especially since (as previously mentioned) most games require Admin privileges.


What would be a non-Hacker's Paradise OS?

You wouldn't seriously suggest that it would be any more secure to run under Linux? The user *has* admin privileges to their own system! Thus, forbidding the game admin privileges doesn't stop them from running the crack with admin privileges.

- Brask Mumei


I'm a huge advocate of closed systems for games :)

If you can't have that, it'd be nice if the OS made it at least hard to get at the code. I'm not suggesting other OS's do a good job there, either - but Windows makes it ridiculously easy. Even if I do not have Admin privileges.

At the end of the day, though, no commercial OS out there is focussing on malicious attacks through root/admin. (Yes, it's an extremely hard topic. But it's overdue. )

My point still stands - as long as the OS doesn't support it, the manufacturer has to build it. The harder the OS makes hacking, the less the manufacturer will be inclined to invest additional time and effort to prevent it.


Update on Kotaku:

There’s been quite a strong response to NCsoft’s decision to require anti-cheat software Gameguard to run for access to their massively multiplayer online game Lineage II...


Just yesterday I was sent a reference to a news story from Johannesburg about obsessive gamers planting trojans and worms to gain access to online game resources. Lineage was mentioned as one of the top targets.

An interesting quote from the story:

"It's sad to think that people will be so desperate to do better in a virtual world that they're actually prepared to commit a real crime. We expect to see more Internet skirmishes between rival online gamers and malicious code to assist this kind of Internet robbery in the future."

Achievers will stop at nothing to win! ;-)


Personal addendum: At 28.8 kbps, I found Valve/VU's Steam absolutely abhorrent. Four hours to download multiple patches, then another "we don't trust you" download three weeks later? No thanks. As much fun as HL2 was, I don't ever want to suffer experiences like that again.

But given the cheaters this kind of intrusiveness is probably the future. Sigh.


The comments to this entry are closed.