Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Exploiting Online Games", Greg Hoglund/Gary McGraw

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKEXONGA.RVW 20070913 Exploiting Online Games , Greg Hoglund/Gary McGraw, 2008, 0-13-227191-5, U$44.99/C$55.99 %A Greg Hoglund www.rootkit.com %A Gary
    Message 1 of 1 , Oct 22, 2007
    • 0 Attachment
      BKEXONGA.RVW 20070913

      "Exploiting Online Games", Greg Hoglund/Gary McGraw, 2008,
      0-13-227191-5, U$44.99/C$55.99
      %A Greg Hoglund www.rootkit.com
      %A Gary McGraw www.exploitingonlinegames.com gem@...
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2008
      %G 978-0-13-227191-2 0-13-227191-5
      %I Addison-Wesley Publishing Co.
      %O U$44.99/C$55.99 416-447-5101 fax: 416-443-0948 bkexpress@...
      %O http://www.amazon.com/exec/obidos/ASIN/0132271915/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/0132271915/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/0132271915/robsladesin03-20
      %O Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation)
      %P 340 p.
      %T "Exploiting Online Games: Cheating Massively Distributed Systems"

      Shall We Play A Game?
      or
      Being a Review of "Exploiting Online Games" With Much Editorializing
      and Extensive Digressions

      Fair warning, then: this review is going to be a bit different.

      Why games? Isn't this topic a bit trivial? After all, Hoglund and
      McGraw are among the very select few who have been able to use the
      "hack to protect" style work. By examining vulnerabilities they have
      created books like "Software Security" (cf. BKSWSBSI.RVW) that have
      contributed useful guidance to those attempting to build more robust
      and reliable programs. Therefore, the foreword, preface, and first
      chapter all attempt to provide reasons why such a book is needed.

      First off, there is a very large virtual economy that interpenetrates
      with the [real|cash] one. Since gamers have started selling
      abilities, "game gold," and even characters, game objects now have
      cash values in the real world. As with anything that has an
      exchangeable value, the criminal world has taken an interest. Trade
      in game objects now comprises a large fraction of online frauds,
      identity theft, and money laundering. (The trojan posted at the
      Dolphin Stadium Website, and others, around SuperBowl time had a
      subordinate payload looking specifically for "World of Warcraft"
      accounts.)

      Everything that relates to software insecurity (and security) in the
      online gaming environment applies (though possibly not equally) to
      security in other systems. Therefore, a book noting the security
      vulnerabilities of game systems provides an introduction to system
      security in general, and application security in particular. It helps
      that the gaming topic is of intrinsic interest to a number of people,
      and therefore may spark interest in information security.

      (Interestingly, no argument is made in the book is that the existence
      of vulnerabilities in the game system itself, and particularly on the
      client side, may open the gamer to various forms of attack [and not
      just by axe-swinging berserkers]. Loopholes in the client software
      could lead to openings for intrusions, means of gaining information
      about the user or system, or entry points for malware. We have seen
      numerous instances of problems associated with widely used client
      software packages, such as those for instant messaging and peer-to-
      peer file sharing.)

      Chapter two contains a discussion of various ways of manipulating
      games. Most of these are at a conceptual level, although some are
      extremely detailed, including macro and C code. The material also
      addresses some countermeasures to the cheats, and a few ways to defeat
      the safeguards, as well. Instances and examinations of the virtual
      economies that have sprung up around online games are presented in
      chapter three. Given the earlier stress on the importance of the
      point (as a rationale for the book itself), the content is
      disappointingly thin in this separate chapter. American copyright and
      related laws (particularly the Digital Millennium Copyright Act) and
      End User Licence Agreements are the substance of chapter four.

      Chapter five notes a number of bugs, primarily those involving
      interactions of complex functions and states of games. Tools and
      techniques for examining and manipulating client software are
      described in chapter six. There is a lot of C code, and, although the
      programming is extensive it can't be exhaustive, since the chapter
      basically covers a topic to which whole books are devoted. (Most of
      the suggestions are directed at attacking the server, and, again,
      there are few mentions of the risks of vulnerabilities in the client.)
      Chapter seven provides C code for programming robots to cheat at the
      game for you. The chapter seems oddly placed, since eight returns to
      the topic of reverse engineering of software, and lists more tools.
      (There is also a rather comprehensive guide to basic functions in
      assembly code.) Advanced game hacking, in chapter nine, deals mostly
      with the modification of clients or the creation of alternate game
      servers.

      Chapter ten starts off with the statement that the primary goal (of
      the book) is to "understand the security implication of massively
      distributed software systems that have millions of users." That's a
      worthy goal, and one that is indicated by the subtitle. Therefore, it
      is strange to note that not only is this intent omitted from the
      rationale given at the beginning, but also that the topic really isn't
      addressed in the text. There are so many notions that could be
      explored under that subject, such as the social engineering aspects of
      working with large groups, the emergent properties that might arise
      from simple functions operating in large numbers of nodes, the massive
      power of distributed systems, or even the relation to the botnets that
      are currently such a concern. None of these ideas are explored in the
      book or in chapter ten itself, which is simply a fairly brief review
      of some decent but basic software security guidelines.

      The book is, therefore, a partial success. The introduction to the
      fundamentals of software security via the gaming medium is a
      potentially useful and valuable device. The work does tend to
      concentrate more on the game aspects, and less on the generic
      principles, but that emphasis is not necessarily a flaw. The precepts
      are sound, and those who do become interested in security will be able
      to apply them, and move on to more advanced areas.

      copyright Robert M. Slade, 2007 BKEXONGA.RVW 20070913


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      As long as the world is turning and spinning, we're gonna be
      dizzy and we're gonna make mistakes. - Mel Brooks
      http://victoria.tc.ca/techrev/rms.htm
    Your message has been successfully submitted and would be delivered to recipients shortly.