Anet's GW: a (relatively) secure MMORPG

Hi there,

An interesting read for anyone that is knowledgeable in software&security (be careful, some information could be seriously misinterpreted if you're not familiar with this):
http://www.securityfocus.com/columnists/461/4

What's striking (well, not so much if you thought about these questions before) is that Anet's design of GW is pretty solid against these "first line of attack" threats, since the (untrusted) client contains nothing of value. The problem of software bugs is inherent to any software (unless it's been coded following formal methods) But GW immediately releases patched code transparently to all clients anyway, and that is a huge improvement.

On the other hand, any superior design will bring about new threats and a "second line of attack": botting, spamming and duping. I believe that even on this front, Anet's doing an excellent job, banning daily these scammers, though some "false positives" have probably caused some pain in legitimate users.

I've been happily surprised by Anet's reaction to mods and GWLP, which is very mature (don't disallow it until you've got reasons to believe it'll harm your business model). That's the kind of decision that comes from a deep and correct understanding of software security as a whole (cracking the code on the client and interface side is ALWAYS possible technically, but it's rather a matter of law after the point where it's been broken).

One aspect I'd like to see improved in GW2 is the use of crypto. From what I've read on the creation of GWLP, it seems that the symmetric key was obtained fairly easily, which means that communication could be compromised fairly easily (which will probably not give an advantage to anyone, apart from preventing people to connect to the game, or possibly add some lag to their connection?).

Well, now feel free to share the info you've got on GW design in this thread.

P.S.: (an old) bad news for Blizzard(-Activision) which makes you happy as a GW/Anet customer:
http://www.rootkit.com/newsread.php?newsid=371

I'm wondering why people are having hundreds of armbraces?

What a brilliant point you're making (I, too, can use irony as a method for answering without really answering). I'm wondering why people have been banned for selling and buying armbraces?

It's (relatively) secure. Anyone who knows about programmin languages, compilers and OS architecture knows that bugs can't be avoided. The create vulnerabilities that can then potentially be exploited to do bad things. A buffer overflow in the client can crash your game (no pb with GW's architecture, there's no critical info in the client) but a buffer overflow in the server will enable duping. And software engineers know that buffer overflow is not the most complicated problem.

There are times where you wish that people would weight their words against "silence" (not posting these words). You're entitled to your opinion, but when your words express next to nothing, we're walking backwards.

Relatively secure.

Where does that place GW among other online games?

What is the most secure game?

Quote:

Originally Posted by Onarik Amrak What is the most secure game?

Auto Assault
kekeke

GW and WoW are not mutually exclusive, I play both. So the warden can see if I'm browsing porn, big deal. It still can't read secure data and who checks their bank account while playing an online game anyway? That looks pretty old , seeing as the subscription figures for WoW are double that now.

Well, thanks to its server-oriented design, it's ahead of the pack. See the article in my original post.

I'd be interested to know if WoW has many bugs of the first (crash, glitch) and second (bot, duping) types.

Yeah, that point is roughly discussed in the discussion attached to the article. It still is a breach of trust (Warden should have been mentioned from the start), though that does not mean you shouldn't be playing WoW. Problems can happen if other programs read the info that Warden has, but I'm unsure if this possible or hasn't done before?

On the first, not for me. Never crashed once, never had a major glitch other than the usual clipping that seems to be par for the course with all MMOs. Also it now has multi processor support, so I don't have to put up with it crashing on a quad core machine (which GW does a lot).

On the second, riddled with 'em probably. There's certainly at least one lvl 1 Orc gold seller in Orgrimmar every time I go there.

It's an irritating price that comes with success.

Not sure how it was brought in initially, but I'm pretty sure when I installed it came up as a separate part of the 'push Agree to play' screen, maybe someone else can confirm that. When you agree to the EULA in WoW you have to scroll to the bottom or the button is greyed out. People can always decline, though why they're surprised when they can't log in afterwards I'll never know.

Don't you mean Fury?

kekekeke

I think GW has a good basis.
Created by the minds behind battlenet, they aimed to create a secure, bandwidth efficient architecture.

...
In a world were personal liberty is surrendered left right and centre in the interests of "counter terrorism", draconian 1984-esque governments, and general corporation data-mining, it concerns me that you have such a blasé attitude towards data protection.

Game companies monitoring background exes, sony music software installing rootkits, what's next?

Dogs installing cameras to make sure you don't fraternize with the Black Lab next door? (It's the only logical next step)

Rights to privacy are becoming more flimsy each year...

there will always be bug in game, just the nature of the beast. But it always seemed to me that anet never reallly has a good rep with the bug fixes. There are numerous examples, for instance, the even growing list of typos, i would assume would be easy to fix. Or the fact that when favor is lost, it still has two messages. These might be minor, but when it major issues, anet just is completely off the ball. The duping event only was stoped after players submited the method to them on a silver plater. In the bug fixed part, I feel anet needs to improve.

the irony is it runs on Microsoft Server 2003 or 2005

a lot of things are underground so you won't find about them until it is too late.

GW's architecture is inherently more secure than any other current MMO that I know of. However, being the "minds behind battlenet" is definitely NOT a positive credential for having good security. As any player of D2 will tell you, battlenet's security initially resembled swiss cheese (and the WoW players will tell you that it's still not too great). If anything, the evolution from b-net to a-net is best described as "learning from your mistakes."

I could not possibly agree more. If one are not deeply troubled by recent erosions of privacy, that can only be because one is ignorant of what is going on.

For the sake of those who wish to educate themselves:
I think the book plugged by the article OP links to describes addresses the narrow field of spyware from PC games (though I have not myself read it).
To learn about the problems with private-sector privacy violations, particularly corporate data mining, and the problems with the legal system failing to adapt to them, I strongly recommend The Digital Person by Daniel Solove.
The full extent of governmental invasions of privacy is both disturbing and classified, and I know of no source which discusses them adequately.

Can't be done.

If client is to make use of data sent by server, it needs to be able to decode the traffic completely. As such, client has full knowledge of how to decode data - and client is available to all.

Encryption is just a minor hassle and never the strong point when both parties possess both, the algorithm and the keys. It's a deterrent, not prevention.

Most commonly, encryption is more useful for client detection and data integrity check, not that much as a prevention measure.

Consider texmod - textures can be completely encrypted with military grade algorithms, but texmod listens to data sent to graphics card (which cannot be encrypted). In the same way, if network traffic were too encrypted, people would just run the client, and read data directly from memory, once the game has decoded it.

It doesn't. Just the SQL database, the rest is custom code.

As of a recent upgrade, it can do that too. It doesn't currently, but it's capable of doing that. It's even possible for it to take a screenshot on a remote request.

What's worst, it's potentially possible to hijack the warden by a third party hacker, who can then use it as a back door. But I'm not sure how far people have gotten with that.

Windows sending a list of installed software (including all the licenses or lack of them), movies and mp3s you have to Microsoft's servers once a day, and shutting down the system remotely if they choose? Although I hear they increased the interval to 2 weeks now. Apparently some people complained about that antiquated thing called privacy.

But yea... Big brother is watching right now.

Yes! You can't hurt something thats already dead, or in this case, youcan't hack a game that's really, really bad, oh and offline.

Rip AA may the industry learn from your wrongness.

I had a talk with Greg [Hoglund], as a reverse engineer myself, a little while back and as an aside we talked briefly about his research for the book. He's a smart guy and if you ever have a chance to talk to him about it you should (if you're interested in that field). I'd also recommend picking up the book as it's a good piece in relation to games, not just in making or breaking them, but in realizing what you (as a customer) have at stake in the whole thing.

As far as the crypto, yeah you're pretty right there. I'm not on the GWLP or have anything to do with them, but the initial 64-byte pre-expansion key is sent across in the clear from the client to the server. The algorithm is textbook RC4 once you take a close look at it in the code, but they don't use typical RC4 key expansion to build the 256 byte state table used in the algorithm. I'll side with the GWLP team on this one and not reveal anything more about the expansion (which you need to know in order to use the pre-expanded key and communicate with a server), but any reverse engineer, even a hobbyist can figure it out. I think it's more or less to deter some and provide an inconvenience to others, but ultimately nothing is fullproof.

Sure it can. Go read up on asymmetric encryption. You could, if you so choose, design a system where (1) the key needed to encrypt from-the-server data is not present in the client in any form, (2) the key needed to encrypt data from-user-X is only present on user X's system, (3) the key needed to decrypt data intended for user X is only present on user X's system, and (4) a third party would have a heck of a harder time decrypt an intercepted message than RC4.

"Bravo" to that message, it is indeed the revolutionary fight of the 21st century. I know that some company are trying to biggy-back this problem onto the law, which itself has been "infiltrated from the inside" (see the use of the Antiterrorism Act in the UK, it's first been used by Blair to: throw out an old man who expressed politely his disgust at Blair's policy at the Labour's yearly meeting in Brighton, prevent 2 women to protest in front of a US military base in the UK ... is that terrorism? ... I'm not even mentioning the "terror raid" on the 2 muslim guys that were completely innocent, because it would take us off the track completely ...)

Believe me, the technical problem of security becomes less and less of a problem, it's rather more of a problem of trust, going even into politics and finally philosophy. And on that point, I think Anet is doing a better job than the rest of the pack, because of their business model (see the corresponding thread) and their customer relationship (we feel closer to them with people like Gaile on the forum and knowing that devs read some of the threads... I even proposed an idea in the Sardelac Sanitarium and discovered after a while it was implemented in the game!).

To be honest, I was being more flippant than I was blasé. But no, I don't really worry that much about the Warden as there are far more harmful ways to expose personal information out there than this. At least with software you have an option not to use it, sadly the same is not true about information the government holds - or in the case of the UK, loses with frightening regularity just lately. And yes, my data was on one of those errant CDs recently.

For example, I wonder how many people are aware that up until earlier this year there were no safeguards in place for people at risk of violence who requested to be kept off the electoral roll for personal security reasons. Having gone through the process of trying to keep that information private I had been threatened with prosecution by one council. Yet when I moved to a different area the new council allowed people in certain circumstances to use a postal vote to retain their privacy, but this was a discretionary move that particular council. I later decided to go back on the ER anyway so it turned into a moot point by the time the legislation was pushed through.

I'll look into that then, but I have to say that I still wouldn't be looking at sensitive data while playing online. With regards to hacking, if that did start happening I'd imagine Blizzard would jump on it pretty quickly as it doesn't benefit their business to leave holes that can be exploited easily.

"Potentially" and "capable" does not necessarily mean it will happen. I could have a big stick and be capable of smashing it over your head, doesn't mean that I will do it though.

This is the ONLY way, there's a limit to the anount of proactive protection you can put in place (it's the theoretical knowledge of the threat that you have at a given point in time). The rest is "defense in depth" and you have to prepare yourself to react to any exploits and patch the vulnerabilities.

Security IS an arms race, where the "good guys" (whitehat people) try to catch the "bad guys" (blackhat people) that are constantly trying to break systems, using innovation (there are some initiative in different places to create innovative security where you basically expand penetration testing into vulnerability discovery but it's only beginning).

So learning from your mistake is the best option you have.

No, the book goes beyong that. I haven't read it (yet) but the author mentions chapters on the law for example (see one of the link at the end of the article on another securityfocus article on WoW bot-lawyers).

Thanks for the reference. I also attended recently a talk by Susan Landau which mentions plenty of US (and UK) affairs of this kind. She co-wrote (with the super famous Whitfield Diffie who created so many concepts in cryptography) a book:
Privacy on the Line: The Politics of Wiretapping and Encryption

The Electronic Frontier Fondation (EFF) is also a great place to look at:
http://www.eff.org/

Yeah I know perfectly well. And you're wrong, it can be done but the most flexible ways to do that require very expensive technologies. There are easier ways (shared secrets, which is easier to do with a physical CD than when buying GW from the online store) but they are less secure. And if you re-read the article, it mentions the interesting point of "untrusted code" and next-gen OS (of which the first is Linux) will probably the ability to run code in trusted and untrusted modes (don't let Warden run as trusted or you're giving away all your rights to Blizzard!). Vista already has the integrity levels (I think they're called). But, well, until there's a solid PKI at an affordable cost behind all this, I agree that it's not much.

It's not about the possibility to do it, there were proposals for example to extend the PCI-E protocol to allow for full encryption on video cards. There are prototypes of in-memory encryption but the problem is that it's a can of worms. It's all about affordability of these solutions, and until the thread becomes a lot bigger (let's hope not!), this won't happen.

If you have the reference to an article on that, I'd be interested to have it (couldn't find the article mentioning Microsoft Visual Studio and SQL that was mentioned here before).

References for these 2 points? (I seriously doubt the 2nd one)

Awesome, he looks like a great guy and I will order his book.

I think that the computing world has become so complex and complicated that it's given rise to a new "race" of engineers, like you. We've reached a point where "forward programming" is done so hastily sometimes that "reverse engineering" is the only way to reveal the problem. GJ CyberNigma

Yeah, but in the world of computing, at least Anet got it right from the get go. I've seen so many stupid design of the key management (look, my software is secure because I use SHA-1!...) that it feels good to have this basic thing right. I'm wondering if WoW has a basic integrity check of this sort.

It'd be interesting to have comments from guys of the GWLP project, but I'm pretty sure they're overloaded with work to do and possibly already in contact with Anet (not sure about that).

I personally believe (yeah, I work in the field of Trusted Computing, deemed as the root of all evil because it's been associated with Wintel and DRM) that in the future we, normal lambda users, will have our set of key pairs and we'll be able to reliably specify what software is "trusted" on our platform. The real problem then becomes "how do you trust the key from that GW player you know nothing about?" which is dealt with Certification Authorities at the moment (and I don't like the current trust model, where the basic values you use to make your decision are the trust values between your CA and their CA).

I think we're talking Star Trek computing science here, it'd be nice but it won't happen like this. As Jean-Luc Picard would say, Engage!

You should. No offense to our US-ians fellow players, but since the US doesn't have strong privacy laws, contrarily to Europe, companies can do a lot more things than we can. And WoW/Blizzard (GW/Anet also!) is an US-ian software. To disable Warden you'd have to stop playing Wow.

Well, if it's on the last one and you take the driving test, this was a vulnerability that lead to probably no exploit (no very sensitive information). And these affairs are NOT about government policies, but about government mishandling of security and (most importantly) the lack of training of public servants. Things are improving, believe me, there was a time when they could have sent the information using Outlook express ...

Don't treat these affairs like anything else than a "bug" (the most famous case is TJX in the USA, we're amateurs . People will get the blame, public servants will be trained and we'll move to the next (real) threat.

Much better point here! Congrats on your efforts, it's good to know that some people are still trying. IMHO the "anglo-saxons" (no offense, I live and like the UK) have a lot to learn from the French. In France there are very strong (sometimes too strong, it causes lenghty procedures and deadlocks) privacy laws, each company dealing with private information has to register to a national agency and there are regular controls (unfortunately, France also voted this year a DRM-made-easy law and I still don't understand why).

From what I read on WoW, it seems that there's an enormous gold-selling industry. In particular in China where the government is attempting to pass a law to limit the time spent in front of MMORPGs. So are they exploiting bugs, or simply over-farming?

Actually it was the first reported data loss, the one connected with Standard Life insurance. But yes, I see your point, the analogy of it being a 'bug' is a sound one.

Edit: btw, no offence taken. At the end of the day, while yes it's true that I am largely ignorant of some of the data issues mentioned with regards to software, I am concerned about legislation and the way our data is handled by the government. In particular ID cards, biometrics etc. When we buy software we have a choice to use it, unfortunately (although one could argue that a popular vote is a choice made by the electorate) the same can't be said about our every day lives.

I honestly don't know about the botting in WoW. Presumably there is a lot of it but as solo play is nothing unusual in non-instanced areas I'd imagine it may be harder to track than in GW, but that's an uneducated guess on my part.

Were I a terrorist and in need of constant communication with multiple cells across the globe, I'd simply subscribe to an MMO and send Christmas subscriptions to all my friends abroad.

You can bet Homeland Security will monitor such suspicious traffic. GW having an international district might be a prime cell meeting place, and no monthly fee dramatically reduces a paper trail.

There are much cheaper alternatives! But, well, if terrorists want to enjoy a nice storyline, GW is a good choice

1. Yeah, trusted computed IS the root of all evil... But I'll try not to hold it against you personally.

2. In the online-gaming situation, getting us stupid lambda users to generate and use a key pair is easy because you can make the client do it transparently for the user. It's not "star trekky" -- even I could code it. I imagine a set-up something like this:

• A-net generates a key pair.
  • The private key resides on the server (only).
  • The public key is hardcoded into the client. (You can changed the public key via update if really necessary.)
• Whenever the client connects, it generates a fresh key pair. (If processor power is lacking, these may have to be generated beforehand in the background during the previous session and saved. That's not ideal, but probably not fatal.)
  • The private key remains with the client and gets deleted at the end of the session.
  • The public key gets put into a message which is encrypted using a-net's public key and sent to the server. (It's deleted from the server at the end of the session.)
• All further communications from server to client are encrypted first using a-net's private key, and then using user's public key. (That order b/c a third party could have a-net's public key, so we don't want the corresponding key on the outside.)
• All further communications from client to server are encrypted using a-net's public key and user's private key. (I don't think order is as important here; so I'm putting the short-lived key on the outside kinda by default.)

I can't take offense at that -- it's true! Our privacy laws are a total mess, and it's only been getting worse since 9/11. I think the book by Prof. Solove that I plugged earlier describes what's wrong with the laws and why better than I could, so I'm just going to plug it again.

Live in a cave much? it was just all over computer news the past year. Cnet.com, PC Magazine, PC World. The fact that you seriously doubt it blows any intelligence for your arguments, because you are doubting a fact. They had to admit to it when it was exposed. Hell, I believe you could find it referenced in the NY Times. It was part of the original WGA release, and a lot of experts recommended not downloading the updates for it because of this. It made your computer ping back its bios information daily to M$, and could shut down the computer, causing grief to a lot of legitimate computer users. Microsoft was sued by many owners, and WGA was rated as spyware by many in the industry.

Do what you should have done before that comment and simply Google it. You'll learn something.

I suppose you can't learn some manners via google, can you?

after that armbrace accident..best what anet should have done then would be to erase all armbraces that exist from all accounts ...

and then giving all accounts, which were proven first and ended up being not "guilty" their armbraces back..which were taken....all the guilty rest naturally gets banned ...


imo Anet handled not 100% correct..after the first wave of bans..there were still hundreds of thousands of people..which luckily got not banned and slipped somehow through the controls ...

Guild Wars is pretty good for keeping hacks down for a game that isn't subscription based.
Back when I played EQ2 and WoW, I heard about quite a few hacks. People seemed to find ways of duping shortly after the last update that stopped the old duping method. lol
I haven't played EQ2 in a while, but WoW still had another working duping method, involving an application, only a few months ago...maybe still works.