REVIEW: "Exploiting Online Games", Greg Hoglund/Gary McGraw

["Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade () shaw ca>]

BKEXONGA.RVW   20070913

"Exploiting Online Games", Greg Hoglund/Gary McGraw, 2008,
0-13-227191-5, U$44.99/C$55.99
%A   Greg Hoglund www.rootkit.com
%A   Gary McGraw www.exploitingonlinegames.com gem () cigital com
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2008
%G   978-0-13-227191-2 0-13-227191-5
%I   Addison-Wesley Publishing Co.
%O   U$44.99/C$55.99 416-447-5101 fax: 416-443-0948 bkexpress () aw com
%O  http://www.amazon.com/exec/obidos/ASIN/0132271915/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0132271915/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0132271915/robsladesin03-20
%O   Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   340 p.
%T   "Exploiting Online Games: Cheating Massively Distributed Systems"

Shall We Play A Game?
or
Being a Review of "Exploiting Online Games" With Much Editorializing
and Extensive Digressions

Fair warning, then: this review is going to be a bit different.

Why games?  Isn't this topic a bit trivial?  After all, Hoglund and
McGraw are among the very select few who have been able to use the
"hack to protect" style work.  By examining vulnerabilities they have
created books like "Software Security" (cf. BKSWSBSI.RVW) that have
contributed useful guidance to those attempting to build more robust
and reliable programs.  Therefore, the foreword, preface, and first
chapter all attempt to provide reasons why such a book is needed.

First off, there is a very large virtual economy that interpenetrates
with the [real|cash] one.  Since gamers have started selling
abilities, "game gold," and even characters, game objects now have
cash values in the real world.  As with anything that has an
exchangeable value, the criminal world has taken an interest.  Trade
in game objects now comprises a large fraction of online frauds,
identity theft, and money laundering.  (The trojan posted at the
Dolphin Stadium Website, and others, around SuperBowl time had a
subordinate payload looking specifically for "World of Warcraft"
accounts.)

Everything that relates to software insecurity (and security) in the
online gaming environment applies (though possibly not equally) to
security in other systems.  Therefore, a book noting the security
vulnerabilities of game systems provides an introduction to system
security in general, and application security in particular.  It helps
that the gaming topic is of intrinsic interest to a number of people,
and therefore may spark interest in information security.

(Interestingly, no argument is made in the book is that the existence
of vulnerabilities in the game system itself, and particularly on the
client side, may open the gamer to various forms of attack [and not
just by axe-swinging berserkers].  Loopholes in the client software
could lead to openings for intrusions, means of gaining information
about the user or system, or entry points for malware.  We have seen
numerous instances of problems associated with widely used client
software packages, such as those for instant messaging and peer-to-
peer file sharing.)

Chapter two contains a discussion of various ways of manipulating
games.  Most of these are at a conceptual level, although some are
extremely detailed, including macro and C code.  The material also
addresses some countermeasures to the cheats, and a few ways to defeat
the safeguards, as well.  Instances and examinations of the virtual
economies that have sprung up around online games are presented in
chapter three.  Given the earlier stress on the importance of the
point (as a rationale for the book itself), the content is
disappointingly thin in this separate chapter.  American copyright and
related laws (particularly the Digital Millennium Copyright Act) and
End User Licence Agreements are the substance of chapter four.

Chapter five notes a number of bugs, primarily those involving
interactions of complex functions and states of games.  Tools and
techniques for examining and manipulating client software are
described in chapter six.  There is a lot of C code, and, although the
programming is extensive it can't be exhaustive, since the chapter
basically covers a topic to which whole books are devoted.  (Most of
the suggestions are directed at attacking the server, and, again,
there are few mentions of the risks of vulnerabilities in the client.) 
Chapter seven provides C code for programming robots to cheat at the
game for you.  The chapter seems oddly placed, since eight returns to
the topic of reverse engineering of software, and lists more tools. 
(There is also a rather comprehensive guide to basic functions in
assembly code.)  Advanced game hacking, in chapter nine, deals mostly
with the modification of clients or the creation of alternate game
servers.

Chapter ten starts off with the statement that the primary goal (of
the book) is to "understand the security implication of massively
distributed software systems that have millions of users."  That's a
worthy goal, and one that is indicated by the subtitle.  Therefore, it
is strange to note that not only is this intent omitted from the
rationale given at the beginning, but also that the topic really isn't
addressed in the text.  There are so many notions that could be
explored under that subject, such as the social engineering aspects of
working with large groups, the emergent properties that might arise
from simple functions operating in large numbers of nodes, the massive
power of distributed systems, or even the relation to the botnets that
are currently such a concern.  None of these ideas are explored in the
book or in chapter ten itself, which is simply a fairly brief review
of some decent but basic software security guidelines.

The book is, therefore, a partial success.  The introduction to the
fundamentals of software security via the gaming medium is a
potentially useful and valuable device.  The work does tend to
concentrate more on the game aspects, and less on the generic
principles, but that emphasis is not necessarily a flaw.  The precepts
are sound, and those who do become interested in security will be able
to apply them, and move on to more advanced areas.

copyright Robert M. Slade, 2007   BKEXONGA.RVW   20070913


======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
As long as the world is turning and spinning, we're gonna be
dizzy and we're gonna make mistakes.                    - Mel Brooks
http://victoria.tc.ca/techrev/rms.htm
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.