Counter-Strike in China

During the long delay since my last post, I ventured behind the Great Firewall.

My major quest, aside from the business I was there to conduct, was to shop for video games and speak to locals about them. It's fairly easy to read about China's video game market, but it's another thing entirely to experience it in person.

On my first attempt I visited a prominent shopping mall that caters to upper-middle-class Chinese. My research told me that it had an arcade, an electronics shop, and a DVD shop.

By "arcade" they apparently meant six racing stations from the mid-90's (labeled in Chinese and I didn't recognize the attract screens), a whack-a-mole style game of multicolored buttons at which was seated a screaming three-year-old, and a claw game filled with the exact same stuffed animals you'd see in the States. (My guess is that they're all made in China anyway.) The area was stuck into the far back corner of the top floor of the mall. It was poorly lit, the floor dirty, and the games sandwiched between toddler's clothing, men's restrooms, and the food court. The screaming 3-year-old and her mother were the only customers.

Electronics were housed in much better conditions, but there was no gaming equipment to be had. Cameras, HDTVs, and iPods ruled the day.

By "DVDs" they meant "Chinese movies," and nothing else.

For my second attempt, I went to a downtown mall that catered to upper-class Chinese and foreigners. The ground floor held brands like Cartier and Coach, and the high, fixed prices implied that they were the real article. On the fourth floor there was a quarter of a shelf, unlabeled in any language, squished between yoga DVDs and coffee table books. It contained twelve video games: two Chinese titles (I don't read Chinese so don't ask me what they were), nine Japanese titles that seemed to be sequels of two separate series, and World of Warcraft. Average price for each game was 69 yuan, though there was a casual Japanese game at 29 yuan and a big boxed Chinese special edition at 129 yuan. World of Warcraft had no pricetag.

My third attempt was to find an independent gaming store, and at this I failed utterly.

On my fourth attempt, I went to a famous shopping plaza that sells nothing but knock-offs. Samsonite luggage: $8. Armani coat: $40. Coach bag: $12. (For added irony, the entire front of the building is covered by a giant poster of Jackie Chan, with the caption "Say no to piracy!" in three languages.) And there, in that den of illicit opiates of the masses, lay my video games and consoles. Half a mall-sized floor of merchandise: PSPs labeled at $60, DS Lites at $40, and any game you can possibly name for 10 yuan ($1.43) or less. PC games, console games, hardware, software, accessories, toys, you name it, it's yours for the haggling. (No, I didn't buy any.)

My fifth effort was an interview with a local man, courtesy of a consumer products survey company. I went to a "home check" with an interpreter and spent an hour and a half asking questions about the gentleman's buying habits, his friends, living situation, social status, etc. He owned a computer that doubles for him as a television, and spends his time reading or watching news, blogging, or playing either casual games or - get this - Counter-Strike.

After some probing, he admitted that it wasn't actually Counter-Strike; it was a Chinese game "similar to Counter-Strike" that he plays with his friends several times a week. (Though he was familiar with LAN parties, he said it was easier for them simply to organize times to play from their own homes.) I asked where he had bought the game, and how much he had paid. At this there was some back and forth with the interpreter, and eventually the answer came: he downloaded it online for free. Which is what he does with all of his media content: movies, television, video games, etc. He does not own any boxed copies of anything. He wouldn't answer whether or not he pays a subscription fee, but did state that he has never shopped online - for anything - nor has anyone he knows. He seemed surprised by the question, and actually laughed at the idea.

It's easy to read about the 96% piracy rate in China, and the regulations that make importing consoles all but impossible. As someone whose livelihood depends on people not stealing the content we produce, it's also easy to get, shall we say, irked. The reality of the system in China is that legitimate software is so expensive and so hard to find, and pirated software so cheaply and easily available, that it would be bizarre for Chinese gamers to not pirate. If I lived there and wanted to play games, I'd have to pirate them too.

It's also easy to point a finger at the Chinese government. Their protectionist policies, which I'd venture to state are in direct violation of their WTO responsibilities, hamstring foreign companies from legitimately doing business. Domestic companies don't yet have the expertise to compete with the likes of Nintendo and EA in a fair marketplace. (But they've had enough time under WTO rules for the training wheels to come off.) Yet while China has seemed inscrutable and impenetrable to many Western industries and companies, it has been quietly building credibility with Asian and African neighbors as a responsible partner. Changing the business environment may be difficult, but not impossible. (I highly recommend China: Fragile Superpower for general insight on this.)

More difficult to overcome is the problem of retail distribution. None of the burgeoning class of big-box retailers in China have cracked the code of video game sales. Chinese consumers don't yet seem comfortable with online purchasing in any form. Boxed copies are only available in pirated form, and digital copies are only available through P2P sites. Imagine trying to watch movies in a country without Blockbuster, Netflix, or HBO; you're left with bittorrent and a DVD burner whether you care about piracy or not.

(And for the record: abstaining from piracy in that environment might be more ethical, but it does not make you a paying customer. It makes you a non-gamer and therefore of no more financial use to the industry than if you'd downloaded illegally.)

Yes, we can change business models to subscriptions, pay-to-play, and microtransactions. This seems to work out well for the domestic MMO companies and of course for WoW. It works particularly well for internet cafe usage, just as in South Korea, which has many of the same problems. I'm betting it doesn't work out so well for Valve, which is not seeing a single yuan from my Chinese friend playing either Counter-Strike or its Chinese knock-off version.

So the problems here, just to name a few:

• Significant taxes and regulatory hurdles on imported games hardware and software
• Lack of consumer confidence in or awareness of online purchasing
• High pricetag of legitimate software versus pirated software
• Easy creation of and access to pirated software and smuggled hardware
• Ineffective retail distribution system for boxed software
• Lax consumer (and presumably government) attitudes toward piracy
  

Even more briefly: a government regulation problem, a business strategy problem, and a security problem, assembled in various combinations. Each of these problems suggest questions we should be asking ourselves.

Why is it so easy to pirate our software? (And simultaneously translate it into Chinese, no less.) Why is our software priced so highly in developing markets? How can we create retail distribution channels for boxed copies? How can we create consumer confidence in online purchases? Has any of us filed a complaint with the US Trade Representative to the WTO? Are there domestic Chinese companies we can partner with to get our hardware imported legitimately? How do we shut down the smuggling? How much time and money would it take to educate consumers that piracy is bad? (I suddenly envision a "Jackie Chan will kick your ass" campaign.) Would increased boxed-copy sales impart a sense of value on software, such that consumers equate piracy with theft? How would we assure consumers that online purchasing is safe? How would we make sure that it is safe behind the Great Firewall?

Some throw up their hands and declare that the China Problem is unsolvable, that's it's just how things are, and no one can change them.

I respectfully disagree.

Selling Security to Game Devs

I'm told that Bruce Schneier's blog is required reading in the security field. The latest rumblings to come from his direction are on a subject I've read about multiple times - and I'm not in security, so I imagine I see only the tip of the iceberg. Nevertheless:

"Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently." ... "I've often speculated about how much of this is innate, and how much is teachable. In general, I think it's a particular way of looking at the world, and that it's far easier to teach someone domain expertise -- cryptography or software security or safecracking or document forgery -- than it is to teach someone a security mindset."
http://www.schneier.com/blog/archives/2008/03/the_security_mi.html

Debate rages in comments, of course. It's one of the founding Laws of the Internet (right up there with horses having right-of-way over dump trucks) that making an unequivocal statement of one's opinion is grounds for an immediate flame war. So I'm going to make an unequivocal statement:

It is not difficult to teach someone a security mindset. What is difficult is selling them on the idea that the security mindset is a desirable one.

Law school, business school, boot camp, police academy, even some undergrad programs are all designed to take a generalist human being, re-shape their mindset, and turn them into a tool with a specific purpose. When done for academic or career training purposes, we call it "school"; when done for nefarious purposes, we call it "brainwashing." It doesn't happen overnight - those programs range from months to years - but it does happen reliably and systematically. Mindsets are changed every day.

Unfortunately, it's a lot easier to sell law school than it is to sell security training. Most people can readily understand how the legal mindset will be helpful to them, their careers, and their businesses. Very few people in the world understand why it would be valuable or desirable to, upon encountering a new system, automatically think of ways to exploit it. That pings most people's morality meters as bad.

You have to sell them on the idea that it's good.

I would argue that the infosec community's difficulty in getting more of the world to have "a security mindset" is a failure not of their product but of their marketing.

I write this blog specifically because I do not know how to market "the security mindset" to the video game industry. I'll admit that I've had an easier time of it than most. It's my job to point out flaws, both in our software and in our business process. Having a security mindset in my job is immediately recognizable as good - or at least as not evil. (I do keep my mouth shut about mailing people tubes full of live ants.) But I'm having trouble convincing them that it's not merely good for one person to have by happy accident, but necessary for the entire company to understand and prioritize. In short, I have a marketing problem.

Successful marketing requires a number of factors:

1. a perceived need in the marketplace
   
2. a product or service that meets the perceived need
3. understanding of the people or businesses who have that need
4. communication that physically and psychologically reaches these people or businesses

What we're missing is the first and most crucial element, #1: perceived need.

Some needs are obvious and exist even in absence of a product (clean water, clothing, a cure for AIDS.) Some products create a need for that product once the customer is exposed to it (post-it notes, iPhones, crack cocaine.) Some products are basically unnecessary to anyone, yet brilliant marketers created a perception of need (Oreos, designer handbags, Beanie Babies.) You can create this perception for just about anything, though it's not easy, even when the value of the product seems obvious. Creating a perceived need for the Internet took a couple of decades.

At the moment in the games industry, there is no perceived need for the security mindset. There is a recognized need for some level of security; CEOs do understand that they need to be PCI compliant and programmers do know that it's bad when their game software is pirated. But, as I've mentioned in previous posts, there exists a fundamental naivety in most game companies I'm familiar with. "No one wants to hurt us; we just make video games" is, in marketing speak, a lack of perceived need. Conflation of hacking with cheating reinforces this view. Looking at the world through rose-colored Glasses of Fun and Games reinforces this view.

So how does one market "the security mindset" to the games industry? To any industry?

The oldest debate: Cheating

Most discussions of video game hacks revolve around cheating. Map hacks, bots, dups, rendering hacks, and a few species of bugs are what come to mind when one uses the phrase "video game hacking." (Greg Hoglund and Gary McGraw did an excellent job at dissecting this in "Exploiting Online Games", so I'm not going to elaborate here.) One of Gamasutra's first (of very few) articles on the subject is entitled: "How to Hurt the Hackers: The Scoop on Internet Cheating and How You Can Combat It" http://www.gamasutra.com/features/20000724/pritchard_pfv.htm.

Right in the title, it equates hacking with cheating.

I wonder how many companies in the world define hacking in such a way. Does Cisco make an effort to ensure that their routers can't be cheated to give other players unfair in-game advantage? I'm sure Citibank is very concerned with map hacks. (Gold farming, I'll grant.) Is cheating in-game mechanics such a big deal that the entirety of games-specific software security work ought to be focused on preventing it?

According to one of my colleagues, yes. "Cheating makes the game less fun for the non-cheating players," he said, arguing vehemently. "If the game I'm working on now isn't fun, it isn't going to sell, and then the next one isn't going to get published, and I'm going to get laid off. Cheating is absolutely important." He has a point, and it's one I've heard echoed many times in the hallowed halls of GDC after-parties.

I'm going to agree up to a point. Yes, cheating is important for us to combat. It does make games less fun. Since the product that I'm employed to make is essentially just fun-in-a-box, that certainly impacts my real world. But I disagree that cheating and hacking are one in the same. That conflates the terms and confuses the issue. Hacking is in games just as it is in the rest of software: exploiting a program in order to obtain unauthorized access, and therein to commit crimes ranging from defacement to theft.

(Two notes, before I get flamed: 1) I'm talking about black hat "hacking," not infosec research or pen testing. 2) As stated in previous posts, I am Not A Hacker. I just make video games.)

I'd suggest that when we mean "cheating," we use the term "cheating." Making another WoWbot is interesting to Blizzard but is not groundbreaking infosec work and is not particularly interesting to the rest of the industry. It's certainly cheating, but it's not hacking. If you went phishing and caught a database full of Blizzard's customers' credit card numbers, now that would be interesting (whereby I mean "horrible in every possible way"), and the lessons learned from it would apply to the rest of us. That would be video game hacking. If you could reliably crash a Pirates of the Burning Sea server, that would be video game hacking. If you could get free games from Steam, that would be video game hacking. If you could get access to Bioware's bug database, that would be video game hacking.

The term "hacking" as it applies to the rest of the IT world ought to apply to games. I think it does us a disservice to have our own special definition. It makes it difficult to have an open industry dialog about serious security issues, such as credit card theft and breaches of our internal networks, when the airwaves are cluttered with chatter about shooting around corners.

Network vs. Application

I had an interesting conversation with a friend in the industry today. Redacted, it went something like this:

Me: "Maybe it'd be a good idea to auto-scan a game for vulnerabilities with each build during development."
Him: "We do a pretty good job of making sure our firewall is secure at my company, so I don't think that's necessary."

He's right. I'm right. And we're clearly talking about two very different subjects.

I've definitely noticed that awareness/paranoia about security issues in my industry are decidedly conflated, or at least skewed toward protecting the company network, and away from analyzing the software we develop. Since I'm not in the security field, I'm not sure if this is common across the IT board.

Do most software or SaaS developers have this odd bias? Do MMO developers or casual/web games developers have more sophistication in their security strategy? Is it just another version of the "we just make games, so no one wants to hurt us" mentality?

Games for Stalkers

I just came across this article:

http://playnoevil.com/serendipity/index.php?/archives/1933-ADD-THIS-FEATURE-Giant-Interactives-Z-Online-hits-1.5-Million-Peak-Concurrent-Users-PCU-Thanks-to-Social-Networking-Feature.html#extended

Z-Online, from Giant Interactive, is amazingly popular in China. As of November of 2007, it was reaching 888,000 Peak Concurrent Users (PCU).

This year, they came up with a feature that brought them to 1.5 Million PCU... its simple, brilliant, and every online game and social network should add it.

The new feature is called "Neighboring Friends" and it allows players to search for other players based on geographic location, according to Pacific Epoch.

My first thought was as a game developer: "Oh sweet! We could put that in and really add to the social networking component of the game! That's brilliant."

My second thought was as a security-conscious person, and was something along the lines of: sinking feeling, OhShitOhShit. Great. Let's let our entire playerbase see where that annoying 14 year griefer old lives. Because that wouldn't get us sued for endangering children.

I notice that while wearing my game developer hat, I look at the world through rose-colored plastic-glitter sunglasses with little pink bows on the earpieces. When I put on my paranoid hat, suddenly the world is dark and menacing and filled with Evil. Since I would really prefer to live in a happy place, it's far more comfortable to wear the game developer hat.

This may start to explain why game developers are, as a group, far less hacker-conscious than one would expect.

Which raises the question: to what nefarious purposes are Giant Interactive's geocoding feature being put, and by whom? Does that endanger its players? And does GI have a responsibility to kill that feature, or at least actively monitor or gate it?

Lessons Learned at the Expense of Others

I'm not a hacker, and I don't play one on TV. I just make video games.

That said, I find myself with one foot in each industry. I'm spending just as much time at hacker cons as at gamer cons. My days at work flip back and forth between "level 4 crashes on load" and "no, you cannot plug your USB drive into my GDC demo computer, you random freak."

From a game developer's perspective, most of the time at industry events when I bring up security concerns - possibilities ranging from piracy to unencrypted ecommerce transactions to keystroke logging employee computers - the attitude is, "It's a compliment! People care about our game!"

This is in fact the entirety of the industry attitude I see about game hacking in general. Which bothers me, in that there's real money being lost (not necessarily by current MMOs but in games that support microtransactions and certainly in online gambling or "games of skill"), and therefore real game companies closing and laying off real people who happen to be my friends. Or me.

It seems like what's on the very few gaming-related hacker blogs, or hacker-related gaming blogs, is .001% of what's actually going on. It frustrates me that there's no open dialogue about this in the game development world. I'm sure Blizzard has a good security team on staff (or I would if I were them), but they're not talking to the rest of us.

So how does the industry start learning from itself?