The gaming segments we worry about for security…

Posted in Uncategorized on October 27, 2010 by Will

So I was doing my talk at GDC Online this year.  I think I had a pretty good turn out.  As I was answering questions after my talk, I came to the realization that everyone has different concerns about the same questions.  It seems to me that these concerns can be broken down by game type.  Each group has different groups of users, so I’ll try to break them down as I dig into these in later posts.

Free/Social Gaming – Games that make money mainly by advertising or other marketing means.  In some cases these games can even be seen as completely free.  They are usually seen on social web sites and flash gaming sites.

Free to Play – Generally these are games where you pay to get the upgrade for gear or phat lewts or to be powerleveled or some other legal speed up.  Sometimes these games border on the Freemium line by offering access to new zones and areas only if you buy them.

Freemium – Very similar to the Free to play games, these games will generally allow for the most of the same things that free to play games have.  They generally attempt to move users towards subscription based modes.  There is also a reverse Freemium where the user buys the title and only pays for expansions by buying them.  Generally there is no reoccurring revenue, unless the user buys the expansion (I’ve seen people call this free-to-play too, guess it’s just a matter of personal choice).

Subscription – These are our traditional business models.  Users pay to play and usually pay monthly.  These are still the holy grail of online games.  I’m pretty sure publishers only move to free-to-play/freemium if a title didn’t do as well as they hoped and are trying to drive more people to come and try the game.

So I will dig into these a bit more I hope as I have time.   We will take a look at the user populations and challenges facing each model for security.  There are some interesting problems and questions that come up all the time and are very similar but have very different answers for each model.

E3 2010 Day 2

Posted in General on June 16, 2010 by Will

Second day and at the south hall. Booths are much bigger here. Pics are updated and linked.

Intellectual Property and I.C.E.

Posted in Gaming Security on June 15, 2010 by Will

So day 1 of E3 is here. I really didn’t expect to see any security related booths, nevermind find one outside the show hall, but lo and behold the U.S. Government provided me with one. Right in the front of hall 1 there was a small booth where a nice Agent was kinda enough to entertain some of my “pre-E3 Expo floor opening” questions.

ICE Booth

I.C.E. stands for U.S. Immigrations and Customs Enforcement, interesting how they are involved with the handling of IP rights. From what I could gather this group investigates claims presented to them in one of 2 ways. Either A) one of their agents happens to come across it some how or B) a report is filed by a company that is actively trying to protect themselves. Obviously their biggest clients right now are the RIAA and MPAA. They investigate all kinds of IP rights claims, everything from Digital to Physical products. They perform some investigation work, but most of the digital investigation is handled by another department. After the investigation is finished this department handles the prosecution and all the other legal stuff.

There are 2 things I found interesting while chatting with the Agent. First was that they don’t perform any real preventative services yet and secondly they investigate claims of user fraud and account stealing also.

For the first point, I find it interesting that they don’t go out and actively try to help companies protect themselves from being stolen from. Instead they are more of a reactive group. They wait for the crime to be committed and then go and find out what happen. At these trade shows they do a little bit of speaking about how to report the crimes, but not very much about how to protect your company from being attacked. It seems like it would make sense to actually have the government help prevent the attacks in the first place too, but that’s probably pretty expensive.

The second point was interesting because I didn’t think the U.S. had reached the same points the rest of the world was at regarding the User and it’s property. Now don’t get me wrong here, they are not investigating actual users, instead they will investigate big groups of users that have been hacked and then bring the hackers to justice.

It’s good to see that the US is keeping pace with the rest of the world when it comes to IP rights, the agent mentioned a few times that he their team is relatively small, so lets see if we can help them out by reducing the IP that can get stolen.

E3 2010 day 1

Posted in General on June 15, 2010 by Will

Pics of the first hall and the booths outside of the halls.  I’ll figure out how to update the text on the pictures soon.

Current Gaming Security Topics (part 6, End to End Security)

Posted in Gaming Security on June 14, 2010 by Will

Ok, the plane is getting close to landing and I’ve typed a ton of blogs (I’ll schedule them to post over the next 2 days). This is my last one before hitting the show floor.


Antivirus, Secure Socket Layers, Authentication, Encryption, Memory dumps and so many more problems and technologies to combat them. It’s an interesting time in the Security market, authentication companies are being gobbled up by the bigger Security giants out there. As these markets collide we start to see new requests from our customers, “End to End Security”. Generally this is the ability to string all of the different security programs and needs together into one package. There are certainly some benefits to this but there can be some pitfalls too.

The benefits are that as an end user I can have a one stop shop for all their perceived security needs. Tokens with Antivirus and Certificates on them. It sounds great. I’d probably look at it, but in the end I’m probably going to go with separate providers.


Hmm as I am writing this I’m trying to figure out my point and how it relates to the online gaming space.


The main thing for me is that I don’t want all my eggs in one basket. But do our players really care? As I mentioned in my children security post, I’m pretty sure my kids would go on and play games even if they had to get everything from one provider. I’m also pretty sure that if the technology made it any harder for them (such as having to install software or requiring admin access for it) they would simply move on to the next game. I’m pretty sure this is what we would see from all demographics too. So what does End to End security get us?

I think End to End security is till too new to figure out if our users are ready for it. Our games are trying to have less hurdles to being played and by implementing End to End security we might be defeating ourselves. It still seems like the holy grail, but I think I need to sit back and watch it evolve a bit more before I make any major comments on it.

Current Gaming Security Topics (part 5, Code/IP Protection)

Posted in Gaming Security on June 14, 2010 by Will

Who can forget the code leaks and rogue servers out there. There were some big ones just last winter. Are we doing everything we can to protect our property? Most of us use card readers to get into our buildings, and tokens to get into our VPN’s, what’s interesting is that most of the developers out there still only use username and static password to login to our CVS or Codebases.

I’ve met with a number of smaller developers out there and the impact to them appears to be even greater than the impact to bigger development houses. A rogue server or two out of 10 or 20 certified servers doesn’t make that big of an impact, but a rogue server when you only have 1 or 2 certified servers with 100k users could make a huge impact.

The technology has always been the hurdle here. It’s usually not that people don’t want to use advanced security, it’s just that the types of technology used can be cumbersome and may hinder creativity rather than help it. The last thing we want is for a developer to stop using our change server just because it takes to long for him to login to it. As soon as that happens we end up with random bits of code in all kinds of locations that are easily stolen.

Most technology introduced here has been PKI (public key infrastructure). PKI has all been bulky with all kinds of overhead (including servers and servers and servers, oh and the certificates themselves). We have started to see that PKI has advanced quite a bit over the years as it quietly got more and more refined. Today’s PKI is a far cry from PKI used in the early 2000’s.

Over the last year I started to see a resurgence of PKI being used across markets and honestly it’s much more integrated than it has been for years. Most development tools can use certificates for encrypting code natively and most change control applications allow for certificate authentication. With a USB device that means that as long as the developer has the device, he can work more securely without even thinking about it.

While PKI is certainly poised to offer many benefits to source/IP protection, it can still be a costly option. OTP is still an option that can be used for this problem. OTP has it’s own technology hurdles in this space too. Most of them have to do with compatibility with the applications that need them. Over the last few months I have certainly seen some of these applications actually start to add OTP options to their products. I can only assume that this is a growing trend too.

For a few years now we have seen a number of hybrid devices on the market that allow for PKI and OTP. The issue in the past has certainly been drivers and operating systems and the quality of the devices (focusing on 2 components instead of just one seems to make certain smaller manufacturers reduce the quality of the devices). As some of the major token providers start to enter this space, we are seeing that the quality of the devices and the software drivers are becoming less of a problem. Along with the quality and software increasing these major manufacturers are bring the cost to implement the hybrid devices down too.

It appears that now is the time to start investigating these solutions and planning for implementations. Gamers shouldn’t have to live with rogue servers and publishers shouldn’t have to worry about the impact stolen code has on them. Products are ready, so now lets get the developers on board.


Current Gaming Security Topics (part 4, Hosting Security)

Posted in Gaming Security on June 14, 2010 by Will

There are some great hosting company’s for online gaming. Some of them take care of everything from the engine to the payment processor to the delivery systems. They are the one stop shop for a publisher to get their game on the internet quickly and efficiently. I have yet to hear of one being hacked. That being said, most publishers are still only authenticate using a standard username and static password.

As we see the adoption of more advanced security in online games we start to forget that it’s not just our users that we need to protect. Developers generally use usernames and passwords to access their VPN’s, as do most of these hosting facilities. So it’s not that far a leap to getting our publishers to use devices to login and perform actions with the hosting providers. Some already have this option available, some are still weighing the benefits.

When I started with VASCO our major market was/is banking. In the US, banking means corporate banking, retail banking is still a little ways off. Most banks utilize application providers for their banking systems (such as Wire Transfers, or Bill Pay, or Payroll, etc.). For our US team it was a natural fit to have the application providers utilize us for their customers, the banks. We see a lot of synergies between these application providers and the online gaming hosting providers.

The major hurdles have been:

  1. Cost
  2. Interest


Cost is always a major hurdle when implementing security. Security is basically seen as, “if I implement it I will probably save money, but I’m not sure how much money”. So generally as a cost saving mechanism. Retail gaming has proven that money can be made off marketing on the devices, but generally hosted games do not have the unique market following that the big names do. The cost savings in a space that really doesn’t seem to have been hacked yet seems more like insurance than security. There are many cost models that will work here, but if we start to see problems in this part of the market, I expect that security will simply be implemented regardless of the costs.

That brings us to the second major hurdle, interest. There doesn’t appear to be many publishers asking for additional security. I think this is because of 2 things, one the publishers haven’t been hacked, and two they aren’t aware that hackers could be waiting to pounce on them. I’ve spoken to many of the hosting providers out there and I’ve heard from just about each of them that they are only asked once in a great while if they have additional security for the players. It appears that the publishers are more interested in protecting their users than protecting themselves. This is great news for the online gaming users, but a potential pitfall for the publishers.

I read a bunch of my fellow security bloggers out there and they appear to be seeing the same trends. It’s interesting to think that hackers just haven’t made the jump to these platforms yet. They apparently don’t read the same blogs I do.

As I am at E3 this week I will continue to build a list of hosting providers that are using advanced security for their publishers and/or gamers and then I’ll come back and see if I can make a quick list.