Rick’s Playground

Finally I decided to give it a push and placed this part-time toy project to a bigger stage. I have registered this project with OWASP and I am pleasantly surprised by the level of support and encouragement from the OWASP folks. So here it goes - OWASP Security Assurance Testing of Virtual Worlds Project.

This project is aiming at creating a systematic and structural security framework for Virtual Worlds users (the gamers), third-party testers and developers. We already have very good security framework for generic application security (such as the OWASP Testing Guide), it’s time to zoom to specific category of application and in this case - Virtual Worlds created by in various MMORPG (Massively Multi-player Online Role Playing Games). If you ask me why I choose this specific type of application, I will say that I have this vision that one day or even in near future, virtual worlds will be an extension of real world. They will just like any independent nations with their own economy, laws and regulations, political systems and social structures. A very simple example is that we may see virtual currency come into the real world FX trading - we may see currency pair like USDLID (LID -> Linden $ currency in Second World) or USDISK (ISK -> currency in Eve-online). This is definitely very exciting stuff and worth the efforts from all of us.

Lastly quote a paragraph from Steve Jobs’ convocation speech (Stanford) -

“You can’t connect the dots looking forward; you can only connect them lookign backwards. So you have to trust that the dots will somehow connect  in your future. You have to trust in something your gut, destiny,life,karma, whatever because believing that the dots will connect down the road will give you the confidence to follow your heart, even when it leads you off the wellworn path, and that will make all the difference.”

Recently we have seen some rapid growth of information security topics in virtual world, typically relating to MMORPGs and both good and bad. For example World of Warcraft is getting bank-like security while Game Trojans outscore Storm worm.  It has been almost a year since I kicked off my part-time hobby research project on MMORPG security. The progress is rather slow but I am really enjoying the exploring process. It’s really amazing to witness the evolving process of all the virtual worlds. Here are a couple of MMORPG security discussion topics I have raised among the local infosecurity interest groups.

• MMORPG - InfoSec Research Nov 2007
• MMORPG - InfoSec Research Mar 2008

Based on the current trend, more and more MMORPGs are no longer “game” and they become a special type of social communities. There is a newly published research survey from CNNIC(China Network Information Centre). Majority of the users consider the virtual world is a community and have a sense of identity and belongings.

Fig 1. The meanning of a MMORPG to users

Fig 2. What are the factors of an MMORPG most valued by the users

This change of users perception towards MMORPGs also reflect the growing importance of information protection to the virtual world and remind the gaming industry to take it very seriously.

Crowd Control Productions (CCP) has had its Eve Online client code hacked and mass distributed via torrent. Here’s the Official CCP statement on the incident:

We are aware that an individual claims to have access to the source code of the EVE client, but this access is not a security risk to CCP or our customers in any way. The Python scripting language that is used by the client can be easily decompiled to generate readable code, and we have designed our server-side systems with that understanding. Therefore, there is no reason to believe that the code was leaked by an employee and our internal investigations confirm that.

Access to the source code for the EVE client exposes no security vulnerabilities, has no privacy protection issues, and poses no threat to our customers billing information. The server-side interface used by the client is carefully protected to ensure that no abusive or unwanted information is transmitted to or from the EVE system.

Nothing the EVE client can do can affect the game state, a manipulated EVE client cannot affect the server, no advantageous or disadvantageous information can be transmitted to other EVE users by altering the EVE client. The EVE client is signed with a security certificate registered to CCP. Hashes are available on our web site for those who wish to ensure the integrity of EVE client download files they may have received from a source other than direct download from CCP’s web site.

Finally, there have been no mass bannings, as reported in some news articles, though we do remove all message board posts regarding violations of our EULA and Terms of Service as per standard policy and procedures. We consider any alterations of the client software, including decompilation, or discussions thereof, to represent such a violation.

Let’s just cross our fingers and pray that EVE-online was truly developed with Server-side security in mind and follow the principle of “Whatever client-side submitted is unreliable”.

I can consider this as my first MMORPG game which I really pay and play. I have touched quite a number of MMORPG games before, but most of the time I was just trying out the game and usually would dump it after the trial period. But EVE-Online is different and it has all the factors which attract me and make me hooked - futuristic Si-Fi, stars, planets, spaceships, weapons, equipment, fleet fighting, fabulous graphics, strategic planning etc. Those are the things which I love from young and EVE-online has them all. My char in Eve