Current Gaming Security Topics (part 5, Code/IP Protection)

Who can forget the code leaks and rogue servers out there. There were some big ones just last winter. Are we doing everything we can to protect our property? Most of us use card readers to get into our buildings, and tokens to get into our VPN’s, what’s interesting is that most of the developers out there still only use username and static password to login to our CVS or Codebases.

I’ve met with a number of smaller developers out there and the impact to them appears to be even greater than the impact to bigger development houses. A rogue server or two out of 10 or 20 certified servers doesn’t make that big of an impact, but a rogue server when you only have 1 or 2 certified servers with 100k users could make a huge impact.

The technology has always been the hurdle here. It’s usually not that people don’t want to use advanced security, it’s just that the types of technology used can be cumbersome and may hinder creativity rather than help it. The last thing we want is for a developer to stop using our change server just because it takes to long for him to login to it. As soon as that happens we end up with random bits of code in all kinds of locations that are easily stolen.

Most technology introduced here has been PKI (public key infrastructure). PKI has all been bulky with all kinds of overhead (including servers and servers and servers, oh and the certificates themselves). We have started to see that PKI has advanced quite a bit over the years as it quietly got more and more refined. Today’s PKI is a far cry from PKI used in the early 2000’s.

Over the last year I started to see a resurgence of PKI being used across markets and honestly it’s much more integrated than it has been for years. Most development tools can use certificates for encrypting code natively and most change control applications allow for certificate authentication. With a USB device that means that as long as the developer has the device, he can work more securely without even thinking about it.

While PKI is certainly poised to offer many benefits to source/IP protection, it can still be a costly option. OTP is still an option that can be used for this problem. OTP has it’s own technology hurdles in this space too. Most of them have to do with compatibility with the applications that need them. Over the last few months I have certainly seen some of these applications actually start to add OTP options to their products. I can only assume that this is a growing trend too.

For a few years now we have seen a number of hybrid devices on the market that allow for PKI and OTP. The issue in the past has certainly been drivers and operating systems and the quality of the devices (focusing on 2 components instead of just one seems to make certain smaller manufacturers reduce the quality of the devices). As some of the major token providers start to enter this space, we are seeing that the quality of the devices and the software drivers are becoming less of a problem. Along with the quality and software increasing these major manufacturers are bring the cost to implement the hybrid devices down too.

It appears that now is the time to start investigating these solutions and planning for implementations. Gamers shouldn’t have to live with rogue servers and publishers shouldn’t have to worry about the impact stolen code has on them. Products are ready, so now lets get the developers on board.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: