BKEXONGA.RVW 20070913 "Exploiting Online Games", Greg Hoglund/Gary McGraw, 2008, 0-13-227191-5, U$44.99/C$55.99 %A Greg Hoglund www.rootkit.com %A Gary McGraw www.exploitingonlinegames.com gem@cigital.com %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2008 %G 978-0-13-227191-2 0-13-227191-5 %I Addison-Wesley Publishing Co. %O U$44.99/C$55.99 416-447-5101 fax: 416-443-0948 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0132271915/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0132271915/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0132271915/robsladesin03-20 %O Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation) %P 340 p. %T "Exploiting Online Games: Cheating Massively Distributed Systems" Shall We Play A Game? or Being a Review of "Exploiting Online Games" With Much Editorializing and Extensive Digressions Fair warning, then: this review is going to be a bit different. Why games? Isn't this topic a bit trivial? After all, Hoglund and McGraw are among the very select few who have been able to use the "hack to protect" style work. By examining vulnerabilities they have created books like "Software Security" (cf. BKSWSBSI.RVW) that have contributed useful guidance to those attempting to build more robust and reliable programs. Therefore, the foreword, preface, and first chapter all attempt to provide reasons why such a book is needed. First off, there is a very large virtual economy that interpenetrates with the [real|cash] one. Since gamers have started selling abilities, "game gold," and even characters, game objects now have cash values in the real world. As with anything that has an exchangeable value, the criminal world has taken an interest. Trade in game objects now comprises a large fraction of online frauds, identity theft, and money laundering. (The trojan posted at the Dolphin Stadium Website, and others, around SuperBowl time had a subordinate payload looking specifically for "World of Warcraft" accounts.) Everything that relates to software insecurity (and security) in the online gaming environment applies (though possibly not equally) to security in other systems. Therefore, a book noting the security vulnerabilities of game systems provides an introduction to system security in general, and application security in particular. It helps that the gaming topic is of intrinsic interest to a number of people, and therefore may spark interest in information security. (Interestingly, no argument is made in the book is that the existence of vulnerabilities in the game system itself, and particularly on the client side, may open the gamer to various forms of attack [and not just by axe-swinging berserkers]. Loopholes in the client software could lead to openings for intrusions, means of gaining information about the user or system, or entry points for malware. We have seen numerous instances of problems associated with widely used client software packages, such as those for instant messaging and peer-to- peer file sharing.) Chapter two contains a discussion of various ways of manipulating games. Most of these are at a conceptual level, although some are extremely detailed, including macro and C code. The material also addresses some countermeasures to the cheats, and a few ways to defeat the safeguards, as well. Instances and examinations of the virtual economies that have sprung up around online games are presented in chapter three. Given the earlier stress on the importance of the point (as a rationale for the book itself), the content is disappointingly thin in this separate chapter. American copyright and related laws (particularly the Digital Millennium Copyright Act) and End User Licence Agreements are the substance of chapter four. Chapter five notes a number of bugs, primarily those involving interactions of complex functions and states of games. Tools and techniques for examining and manipulating client software are described in chapter six. There is a lot of C code, and, although the programming is extensive it can't be exhaustive, since the chapter basically covers a topic to which whole books are devoted. (Most of the suggestions are directed at attacking the server, and, again, there are few mentions of the risks of vulnerabilities in the client.) Chapter seven provides C code for programming robots to cheat at the game for you. The chapter seems oddly placed, since eight returns to the topic of reverse engineering of software, and lists more tools. (There is also a rather comprehensive guide to basic functions in assembly code.) Advanced game hacking, in chapter nine, deals mostly with the modification of clients or the creation of alternate game servers. Chapter ten starts off with the statement that the primary goal (of the book) is to "understand the security implication of massively distributed software systems that have millions of users." That's a worthy goal, and one that is indicated by the subtitle. Therefore, it is strange to note that not only is this intent omitted from the rationale given at the beginning, but also that the topic really isn't addressed in the text. There are so many notions that could be explored under that subject, such as the social engineering aspects of working with large groups, the emergent properties that might arise from simple functions operating in large numbers of nodes, the massive power of distributed systems, or even the relation to the botnets that are currently such a concern. None of these ideas are explored in the book or in chapter ten itself, which is simply a fairly brief review of some decent but basic software security guidelines. The book is, therefore, a partial success. The introduction to the fundamentals of software security via the gaming medium is a potentially useful and valuable device. The work does tend to concentrate more on the game aspects, and less on the generic principles, but that emphasis is not necessarily a flaw. The precepts are sound, and those who do become interested in security will be able to apply them, and move on to more advanced areas. copyright Robert M. Slade, 2007 BKEXONGA.RVW 20070913