The oldest debate: Cheating

Most discussions of video game hacks revolve around cheating. Map hacks, bots, dups, rendering hacks, and a few species of bugs are what come to mind when one uses the phrase "video game hacking." (Greg Hoglund and Gary McGraw did an excellent job at dissecting this in "Exploiting Online Games", so I'm not going to elaborate here.) One of Gamasutra's first (of very few) articles on the subject is entitled: "How to Hurt the Hackers: The Scoop on Internet Cheating and How You Can Combat It" http://www.gamasutra.com/features/20000724/pritchard_pfv.htm.

Right in the title, it equates hacking with cheating.

I wonder how many companies in the world define hacking in such a way. Does Cisco make an effort to ensure that their routers can't be cheated to give other players unfair in-game advantage? I'm sure Citibank is very concerned with map hacks. (Gold farming, I'll grant.) Is cheating in-game mechanics such a big deal that the entirety of games-specific software security work ought to be focused on preventing it?

According to one of my colleagues, yes. "Cheating makes the game less fun for the non-cheating players," he said, arguing vehemently. "If the game I'm working on now isn't fun, it isn't going to sell, and then the next one isn't going to get published, and I'm going to get laid off. Cheating is absolutely important." He has a point, and it's one I've heard echoed many times in the hallowed halls of GDC after-parties.

I'm going to agree up to a point. Yes, cheating is important for us to combat. It does make games less fun. Since the product that I'm employed to make is essentially just fun-in-a-box, that certainly impacts my real world. But I disagree that cheating and hacking are one in the same. That conflates the terms and confuses the issue. Hacking is in games just as it is in the rest of software: exploiting a program in order to obtain unauthorized access, and therein to commit crimes ranging from defacement to theft.

(Two notes, before I get flamed: 1) I'm talking about black hat "hacking," not infosec research or pen testing. 2) As stated in previous posts, I am Not A Hacker. I just make video games.)

I'd suggest that when we mean "cheating," we use the term "cheating." Making another WoWbot is interesting to Blizzard but is not groundbreaking infosec work and is not particularly interesting to the rest of the industry. It's certainly cheating, but it's not hacking. If you went phishing and caught a database full of Blizzard's customers' credit card numbers, now that would be interesting (whereby I mean "horrible in every possible way"), and the lessons learned from it would apply to the rest of us. That would be video game hacking. If you could reliably crash a Pirates of the Burning Sea server, that would be video game hacking. If you could get free games from Steam, that would be video game hacking. If you could get access to Bioware's bug database, that would be video game hacking.

The term "hacking" as it applies to the rest of the IT world ought to apply to games. I think it does us a disservice to have our own special definition. It makes it difficult to have an open industry dialog about serious security issues, such as credit card theft and breaches of our internal networks, when the airwaves are cluttered with chatter about shooting around corners.