So you guys seem to have your pulse on the gaming public. Well at least more than most message boards. So what do you think? If secure computing was added to say an RTS title, or an MMORPG how much do you think it would be worth?

PS: assume that secure computing is actually possible. I understand that it's difficult when the device is in the hands of the enemy (the users) but let's assume that it can be done.

Could you define secure computing a little better?

Why would the person against the hackers talk in hacker l33t talk?

Chet

Sweet sweet mockery.

Perhaps he's some sort of marketing suit who thinks he has to speak to us in our sp3c14| |4nguag3?

Is secure computing anything like posthumous dialog?

qt3 is NOT the gaming public. it's frequented by adults who are often eloquent. the gaming public plays Madden on the ps2 with their classmates.

not that there's a problem with madden.

Perhaps he's some sort of marketing suit who thinks he has to speak to us in our sp3c14| |4nguag3?


I'm just an engineer who has been working in trusted computing for a couple of years who happens to play a wackload of online games. Much to my wife's chagrin.

I constantly tell myself : "Hacks, like maphack for example, just kill the game for me. If they (blizzard for example) could just get with the program and implement some basic level of resistance they could pretty much eliminate hacking from their game. "

Since I think everyone is like me (LOL), I think that there is a huge market out there for this kind of thing. But before I went out and financed my own company to sell trusted computing compilers (jk, too much risk for me) I wanted to see what people who actually know the real market think about such a thing.

Oh as for the leet speak. I thought it was funny. It's probably not. One of the drawbacks to being an engineer: poor social skills due to lack of interaction :)

I constantly tell myself : "Hacks, like maphack for example, just kill the game for me. If they (blizzard for example) could just get with the program and implement some basic level of resistance they could pretty much eliminate hacking from their game."

You talk to yourself using examples?

Color me stupid, but what the hell are you talking about? "Secure computing" could mean about seventy-eight different things, depending on context.

Do you mean hack-proof computing? IE, everything locked down so that punkbuster becomes irrelevant, that you can be assured that everyone is playing off the same codebase? If that's what you mean, then yeah, that'd be great.

Or are you talking Secure in the DRM sense? Such that the publisher can be guaranteed that everyone has actually paid for the game? That'd have definite benefits, too.

Personally, I think that they should make a thing that makes your CD drive hand out candy. On demand. I bet they could make a cool acronym for that, too.

When are they going to do all this stuff for us! We need it, and soon!

But before I went out and financed my own company to sell trusted computing compilers (jk, too much risk for me) I wanted to see what people who actually know the real market think about such a thing.

Hrmm.... Google sez:

Your search - "trusted computing compilers" - did not match any documents.

Trusted computing of late has been used as a synonym for "hardware encryption", and I'll be damned if I can think of how you'd use that to stop online game cheating.

Do you mean hack-proof computing?
...
Or are you talking Secure in the DRM sense


They use the same technology under the hood. If you want to make a DRM you need to create a "trusted" environment for your code to enforce those rights. To do that you need to be hack proof. Although hack resistant would be more correct, since it's clearly impossible to be hack proof (but you can make it very, very hard with hardware support).

Anyway, I'm mostly talking about hack-proof (resistant) computing, where you could trust to a high degree of confidence that your opponent is running the same code that you are and is not employing some kind of enhancement (be it maphack, aim-bot, whatever).

Let's see. A secure online gaming environment where all users are guaranteed to be playing on equal footing and everyone playing has a valid copy of the game. Where have I heard of this before? Where oh where? Hmmm.

Oh yeah (http://www.xbox.com/live).

Where oh where? Hmmm.

Oh yeah.


And how valuable is the security portion of the service to you? How much would you pay for such a service on your PC?

Where oh where? Hmmm.

Oh yeah.


And how valuable is the security portion of the service to you? How much would you pay for such a service on your PC?
Errr... nothing?

Anyway, I'm mostly talking about hack-proof (resistant) computing, where you could trust to a high degree of confidence that your opponent is running the same code that you are and is not employing some kind of enhancement (be it maphack, aim-bot, whatever).

As a game programmer who thinks about this once in a while (I do a fair amount of online game work), I do not see how this is possible. Even if you're only talking about locking down the game executable.

Then recall that a lot of the more effective hacks involve tweaking with some system DLL that is supposed to be different on everyone's system, anyway -- e.g. the graphics driver. How are you going to prevent said wall hack?

The only way to *really* prevent it is to do full occlusion culling on the server, which is prohibitively expensive right now (and has nothing to do with "secure computing").

Though if you have a genuine idea on how this can be done (without hardware support -- they ain't taking my computer away from me), I'd be enthusiastic to hear it.

-J.

Also, I should say that your best chance at a market for something like this is selling an SDK to developers. Asking a game player "how much would you pay for X" is pretty much the wrong way to go about it.

Though if you have a genuine idea on how this can be done


I would love to say that it is my idea, it's not. Everyone in the biz (drm) pretty much knows the techniques of how to make it harder (but again not impossible, that's impossible) to debug an application, or more precisely sections of an application. Heck, I'm sure that any developer given a little bit of time would come up with some decent techniques.

In general most techniques are costly in terms of CPU power, they take development time to setup, and they make your development cycle longer.


Then recall that a lot of the more effective hacks involve tweaking with some system DLL that is supposed to be different on everyone's system, anyway -- e.g. the graphics driver


Don't know about that kind of hack, sounds like one for an FPS and I don't really play any FPS games. I guess you are referring to something that changes the game to wireframe or something like that which allows you to see through walls or something. Sounds pretty nasty since you have to verify the integrity of the video driver. You'll probably need to wait until Microsoft makes secure video path (SVP) although to be honest it seems to have died. Secure Audio Path (SAP) (http://www.microsoft.com/windows/windowsmedia/wm7/WMRMsap_bro.pdf) was implemented but I guess the requirements for SVP were too high. Anyway, SVP seemed to be targeted at overlay output, and not the 3d api.


Also, I should say that your best chance at a market for something like this is selling an SDK to developers.


Oh I totally agree. Although it would probably be a compiler or a compiler add-on.


Asking a game player "how much would you pay for X" is pretty much the wrong way to go about it.


I disagree. I just want to feel out how much of a demand there is out there for hack free games. If there is no demand on the consumer end for their games to be hack free, then developers have little impetus to buy the technology to make their game more hack resistant. I know I would pay extra for RTS games that were hack free. Heck, considering how much I like RTS games quite a bit more. But I don't think that I represent the general gaming populace.

I'm a programmer. What type of magical compiler addon would provide magically secure code? I am aware of the tricks being implemented in BSD & Linux which prevent execution of the stack which prevents buffer overflows, and have read various ideas of how to make hacking harder, but as long as your stereotypical hacker has access to a debugger on a system that has any game related data, he'd be able to mess with it. Its just a matter of time. Once one person finds it out, the game's over.

The whole problem with hacking is that you've got a completely untrusted platform on one end of the calculation, and you don't have any real control over this system at all.

In regards to your posts about gamers -- the fact that you don't play FPS games instantly reduces you credibility because you don't appear to be aware of the cheats available for those, and those are the most cheated-on games played currently.

The other thing that bothers me is your perception that "Gamers don't want hack free games." Of course they want hack-free games. Customers aren't going to spend MORE money on it though -- if the developer can't stop people from hacking the game, then the players will get pissed and go somewhere else. They might download a free system like Punkbuster if its not too annoying though.

So, to sum up:

1) As a programmer I'm extremely dubious about your ideas
2) As a gamer I'm not going to pay one cent for this because dammit, I shouldn't have to fork out more money to get a game to play properly online.

#1 can be addressed by giving more more than vague buzzwords and handwaving about what you'd like to do.
#2 can't be addressed, because that's a personal opinion.

1) As a programmer I'm extremely dubious about your ideas


That's too bad for you. Honestly I don't care what you think technically. If you want to educate yourself use google with the correct keywords. There are plenty of papers on the subject.

I just wanted to see how much interest other gamers have in secure computing wrt. it's application in reducing the frequency of hacks. I'm really interested in it since (a) I work in the field, (b) I am a gamer and (c) hacks drive me nuts.

It seems to me that the answer is : little. Too bad for me. I would have loved it, but it seems that there really isn't a lot of support for the non-hackable games.

Maybe, just maybe, if microsoft gets palladium up and running AND they do it right AND it's really simple for game developers to plugin into then maybe just maybe it'll get done. But if it costs developers anything then I guess it's not going to happen.

People have been equating Microsoft's "trusted computing" thing with a specific technology or two, but that's not really it. It's a goal, not a specific means of getting there.

For the benefit of this discussion, I guess I'll go ahead and define it.

Trusted Computing = you can be sure that your data is secure unless you authorize someone access to it, you can be sure your programs have not been altered, and you can be sure that the integrity of the external data/programs you are accessing have not been compromised.

It's a lofty, possibly unattainable goal. It will require smart changes to software development practices, tools, and infrastructure changes.

In gaming terms, it's actually a bit more compact (but still quite difficult). I means your game: can't be hacked from external sources, other players can't hack their own games, data transmitted from your computer to play online does not reveal any personal information that can identify who you are (though it could easily identify your client uniquely, not just know who that client belongs to), and the game never transmits data unrelated to the game without you knowing about it and opting in.

All of which is of course a good thing. The cheaters suck. Cheating in a solo game is fine...you're only cheating yourself, cheating the system. Cheating online ruins the experience for others, though.

Also DRM <> Security no matter what name you give it.

And Microsoft's Trusted Computing technologies are far more about protecting intellectual property from unauthorized copying than they are about real security.

That's too bad for you. Honestly I don't care what you think technically. If you want to educate yourself use google with the correct keywords. There are plenty of papers on the subject.


I know what Trusted Computing is. What I have no idea about is how you make a "trusted computing compiler". Like I said, your combination of buzzwords creates a

It seems to me that the answer is : little. Too bad for me. I would have loved it, but it seems that there really isn't a lot of support for the non-hackable games.

Bullshit. Gamers would love non-hackable games, it just not the gamers problem. Its the developers problem. If you can help them, then the gamers will be happy. You just aren't going to get gamers to fork out cash to you for this.

Maybe, just maybe, if microsoft gets palladium up and running AND they do it right AND it's really simple for game developers to plugin into then maybe just maybe it'll get done. But if it costs developers anything then I guess it's not going to happen.
Its very possible to make mostly hack proof games without involving a bunch of Microsoft shit (http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html) that will delete all my MP3s if it gets bored.

Correct me if I'm wrong (seriously), but isn't a trusted environment exactly the opposite of what Huzurdaddi is suggesting? The trusted computer is the one you HAVE to trust because you don't have much control over it, yourself.

Bullshit. Gamers would love non-hackable games, it just not the gamers problem. Its the developers problem.

Yeah, this is what I was trying to say. Good way of putting it.

And Microsoft's Trusted Computing technologies are far more about protecting intellectual property from unauthorized copying


Yes they are. The impetus for all of this work is clearly rights enforcement. However to enforce rights you need to trust that your software will do what it is supposed to do. The technology that enables this trust is the same technology that could be used by games to trust that the neither the platform nor the game have been manipulated in some fashion.


a bunch of Microsoft shit that will delete all my MP3s if it gets bored.


Nice site. I'm sure that you had your tinfoil hat on while reading it, they are probably reading the signals from your brain right now! Beware!!!!!!111!!!!!11!!!

One of the drawbacks to being an engineer: poor social skills due to lack of interaction :)
No, really?

I don't care if you implement a self-modifying interpreter encrypted via a hardware dongle with layer upon layer of tamper checks and validation, I can still crack it. It will just take me longer.

In an online game, the only way to secure information from misuse by the player is not to send it in the first place. Due to architecture and performance issues, this is not always a possible thing to implement in most modern multiplayer games. Are many games sloppy and not as secure as they could be? Yes. Can you completely hack-proof a popular game against hundreds or even thousands of talented crackers? No.

If you have "physical" access to the code, data, machine, etc. I don't care if you're 5200.28-STD A1 certified, it is a matter of when, not if.

If you have "physical" access to the code, data, machine, etc. I don't care if you're 5200.28-STD A1 certified, it is a matter of when, not if.
When does it become a matter of "why bother?"

I agree that any multiplayer game can be hacked given sufficient time and effort. At what point does the amount of time and effort become a deterrent instead of a challenge or an inducement?

--milo
http://www.starshatter.com

I don't care if you implement a self-modifying interpreter encrypted via a hardware dongle with layer upon layer of tamper checks and validation, I can still crack it. It will just take me longer.


I don't doubt that someone, somewhere, could crack any scheme in time. As I said "since it's clearly impossible to be hack proof." But you can make it pretty darn hard. Truth be told there is only so much you can do without hardware.

With the proper hardware (which has not been created yet) it can be made exceptionally hard to crack. But that is pretty far down the road.

It's really all about raising the bar to a sufficient level. And, of course, versioning the software (or if you prefer "revoking").

like milo says:


At what point does the amount of time and effort become a deterrent instead of a challenge or an inducement?


that's the thinking.

I agree that any multiplayer game can be hacked given sufficient time and effort. At what point does the amount of time and effort become a deterrent instead of a challenge or an inducement?

There is an old stereotype about the best way to motivate a programmer to do something is to tell them you think it is impossible....

In the case of Joe's Fuddy Duddy Online Game IV, maybe not much. Diablo III, however, might as well be the Holy Grail.

There is an old stereotype about the best way to motivate a programmer to do something is to tell them you think it is impossible....

In the case of Joe's Fuddy Duddy Online Game IV, maybe not much. Diablo III, however, might as well be the Holy Grail.

Well, with hardware support (like Palladium) it is possible to make a cryptographically secure software system. The hardware can authenticate itself remotely through a challenge/response system that no one can answer without the private key embedded in the hardware. This system cannot be broken simply in software, because the private key never exists in software...

...but as CSS (DVD protection) shows, keeping the private key out of the public domain is difficult.

Geoff

Eventually unencrypted data must be presented to the user. Protecting game engines by using a closed cryptographic hardware system is one thing (and IMO not necessarily a good thing). Preventing copying of video or audio is another.

Closed cryptographic systems turn your general purpose computer into an appliace for running applications. It makes your PC look more like an Xbox, where you have very little control over what occurrs on the system and your only interaction is through the application. Personally I like to muck about with my computer, If I want an appliance I'll use a console or set top box.

Finally don't hang your hat on Palladium or other DRM/Crypto-hardware systems. A lot of smart people have spent a lot of time up to this point to try to make closed consumer computing devices, and all it takes is one person to find the hole, and one Internet connection to disseminate that information and you've accompliashed nothing but keeping the honest people honest (potentially with less functionality) and the crooks can still be crooks. I cite Tivo, DirecTV, cable pay-per view, etc. etc.

this is kind of a fun problem. The obvious things: keeping as much of the processing on the server side, sanity-checking all data from the client against the current state stored on the server, periodic validation of client side files, etc... I think this is the kind of stuff that punkbuster does (?)

This won't stop stuff like maphacks, any data sent to the client is fair game.. I'm guessing that encryption would be easier to break, given that the client output is predictable and dependent on the client input.

Maybe one day all the processing other than keyboard/mouse input will be server side, and the client will only receive the end graphical result. X-Windows gaming!

- elrav