Selling Security to Game Devs

I'm told that Bruce Schneier's blog is required reading in the security field. The latest rumblings to come from his direction are on a subject I've read about multiple times - and I'm not in security, so I imagine I see only the tip of the iceberg. Nevertheless:

"Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently." ... "I've often speculated about how much of this is innate, and how much is teachable. In general, I think it's a particular way of looking at the world, and that it's far easier to teach someone domain expertise -- cryptography or software security or safecracking or document forgery -- than it is to teach someone a security mindset."
http://www.schneier.com/blog/archives/2008/03/the_security_mi.html

Debate rages in comments, of course. It's one of the founding Laws of the Internet (right up there with horses having right-of-way over dump trucks) that making an unequivocal statement of one's opinion is grounds for an immediate flame war. So I'm going to make an unequivocal statement:

It is not difficult to teach someone a security mindset. What is difficult is selling them on the idea that the security mindset is a desirable one.

Law school, business school, boot camp, police academy, even some undergrad programs are all designed to take a generalist human being, re-shape their mindset, and turn them into a tool with a specific purpose. When done for academic or career training purposes, we call it "school"; when done for nefarious purposes, we call it "brainwashing." It doesn't happen overnight - those programs range from months to years - but it does happen reliably and systematically. Mindsets are changed every day.

Unfortunately, it's a lot easier to sell law school than it is to sell security training. Most people can readily understand how the legal mindset will be helpful to them, their careers, and their businesses. Very few people in the world understand why it would be valuable or desirable to, upon encountering a new system, automatically think of ways to exploit it. That pings most people's morality meters as bad.

You have to sell them on the idea that it's good.

I would argue that the infosec community's difficulty in getting more of the world to have "a security mindset" is a failure not of their product but of their marketing.

I write this blog specifically because I do not know how to market "the security mindset" to the video game industry. I'll admit that I've had an easier time of it than most. It's my job to point out flaws, both in our software and in our business process. Having a security mindset in my job is immediately recognizable as good - or at least as not evil. (I do keep my mouth shut about mailing people tubes full of live ants.) But I'm having trouble convincing them that it's not merely good for one person to have by happy accident, but necessary for the entire company to understand and prioritize. In short, I have a marketing problem.

Successful marketing requires a number of factors:

1. a perceived need in the marketplace
   
2. a product or service that meets the perceived need
3. understanding of the people or businesses who have that need
4. communication that physically and psychologically reaches these people or businesses

What we're missing is the first and most crucial element, #1: perceived need.

Some needs are obvious and exist even in absence of a product (clean water, clothing, a cure for AIDS.) Some products create a need for that product once the customer is exposed to it (post-it notes, iPhones, crack cocaine.) Some products are basically unnecessary to anyone, yet brilliant marketers created a perception of need (Oreos, designer handbags, Beanie Babies.) You can create this perception for just about anything, though it's not easy, even when the value of the product seems obvious. Creating a perceived need for the Internet took a couple of decades.

At the moment in the games industry, there is no perceived need for the security mindset. There is a recognized need for some level of security; CEOs do understand that they need to be PCI compliant and programmers do know that it's bad when their game software is pirated. But, as I've mentioned in previous posts, there exists a fundamental naivety in most game companies I'm familiar with. "No one wants to hurt us; we just make video games" is, in marketing speak, a lack of perceived need. Conflation of hacking with cheating reinforces this view. Looking at the world through rose-colored Glasses of Fun and Games reinforces this view.

So how does one market "the security mindset" to the games industry? To any industry?

The oldest debate: Cheating

Most discussions of video game hacks revolve around cheating. Map hacks, bots, dups, rendering hacks, and a few species of bugs are what come to mind when one uses the phrase "video game hacking." (Greg Hoglund and Gary McGraw did an excellent job at dissecting this in "Exploiting Online Games", so I'm not going to elaborate here.) One of Gamasutra's first (of very few) articles on the subject is entitled: "How to Hurt the Hackers: The Scoop on Internet Cheating and How You Can Combat It" http://www.gamasutra.com/features/20000724/pritchard_pfv.htm.

Right in the title, it equates hacking with cheating.

I wonder how many companies in the world define hacking in such a way. Does Cisco make an effort to ensure that their routers can't be cheated to give other players unfair in-game advantage? I'm sure Citibank is very concerned with map hacks. (Gold farming, I'll grant.) Is cheating in-game mechanics such a big deal that the entirety of games-specific software security work ought to be focused on preventing it?

According to one of my colleagues, yes. "Cheating makes the game less fun for the non-cheating players," he said, arguing vehemently. "If the game I'm working on now isn't fun, it isn't going to sell, and then the next one isn't going to get published, and I'm going to get laid off. Cheating is absolutely important." He has a point, and it's one I've heard echoed many times in the hallowed halls of GDC after-parties.

I'm going to agree up to a point. Yes, cheating is important for us to combat. It does make games less fun. Since the product that I'm employed to make is essentially just fun-in-a-box, that certainly impacts my real world. But I disagree that cheating and hacking are one in the same. That conflates the terms and confuses the issue. Hacking is in games just as it is in the rest of software: exploiting a program in order to obtain unauthorized access, and therein to commit crimes ranging from defacement to theft.

(Two notes, before I get flamed: 1) I'm talking about black hat "hacking," not infosec research or pen testing. 2) As stated in previous posts, I am Not A Hacker. I just make video games.)

I'd suggest that when we mean "cheating," we use the term "cheating." Making another WoWbot is interesting to Blizzard but is not groundbreaking infosec work and is not particularly interesting to the rest of the industry. It's certainly cheating, but it's not hacking. If you went phishing and caught a database full of Blizzard's customers' credit card numbers, now that would be interesting (whereby I mean "horrible in every possible way"), and the lessons learned from it would apply to the rest of us. That would be video game hacking. If you could reliably crash a Pirates of the Burning Sea server, that would be video game hacking. If you could get free games from Steam, that would be video game hacking. If you could get access to Bioware's bug database, that would be video game hacking.

The term "hacking" as it applies to the rest of the IT world ought to apply to games. I think it does us a disservice to have our own special definition. It makes it difficult to have an open industry dialog about serious security issues, such as credit card theft and breaches of our internal networks, when the airwaves are cluttered with chatter about shooting around corners.

Network vs. Application

I had an interesting conversation with a friend in the industry today. Redacted, it went something like this:

Me: "Maybe it'd be a good idea to auto-scan a game for vulnerabilities with each build during development."
Him: "We do a pretty good job of making sure our firewall is secure at my company, so I don't think that's necessary."

He's right. I'm right. And we're clearly talking about two very different subjects.

I've definitely noticed that awareness/paranoia about security issues in my industry are decidedly conflated, or at least skewed toward protecting the company network, and away from analyzing the software we develop. Since I'm not in the security field, I'm not sure if this is common across the IT board.

Do most software or SaaS developers have this odd bias? Do MMO developers or casual/web games developers have more sophistication in their security strategy? Is it just another version of the "we just make games, so no one wants to hurt us" mentality?

Games for Stalkers

I just came across this article:

http://playnoevil.com/serendipity/index.php?/archives/1933-ADD-THIS-FEATURE-Giant-Interactives-Z-Online-hits-1.5-Million-Peak-Concurrent-Users-PCU-Thanks-to-Social-Networking-Feature.html#extended

Z-Online, from Giant Interactive, is amazingly popular in China. As of November of 2007, it was reaching 888,000 Peak Concurrent Users (PCU).

This year, they came up with a feature that brought them to 1.5 Million PCU... its simple, brilliant, and every online game and social network should add it.

The new feature is called "Neighboring Friends" and it allows players to search for other players based on geographic location, according to Pacific Epoch.

My first thought was as a game developer: "Oh sweet! We could put that in and really add to the social networking component of the game! That's brilliant."

My second thought was as a security-conscious person, and was something along the lines of: sinking feeling, OhShitOhShit. Great. Let's let our entire playerbase see where that annoying 14 year griefer old lives. Because that wouldn't get us sued for endangering children.

I notice that while wearing my game developer hat, I look at the world through rose-colored plastic-glitter sunglasses with little pink bows on the earpieces. When I put on my paranoid hat, suddenly the world is dark and menacing and filled with Evil. Since I would really prefer to live in a happy place, it's far more comfortable to wear the game developer hat.

This may start to explain why game developers are, as a group, far less hacker-conscious than one would expect.

Which raises the question: to what nefarious purposes are Giant Interactive's geocoding feature being put, and by whom? Does that endanger its players? And does GI have a responsibility to kill that feature, or at least actively monitor or gate it?

Lessons Learned at the Expense of Others

I'm not a hacker, and I don't play one on TV. I just make video games.

That said, I find myself with one foot in each industry. I'm spending just as much time at hacker cons as at gamer cons. My days at work flip back and forth between "level 4 crashes on load" and "no, you cannot plug your USB drive into my GDC demo computer, you random freak."

From a game developer's perspective, most of the time at industry events when I bring up security concerns - possibilities ranging from piracy to unencrypted ecommerce transactions to keystroke logging employee computers - the attitude is, "It's a compliment! People care about our game!"

This is in fact the entirety of the industry attitude I see about game hacking in general. Which bothers me, in that there's real money being lost (not necessarily by current MMOs but in games that support microtransactions and certainly in online gambling or "games of skill"), and therefore real game companies closing and laying off real people who happen to be my friends. Or me.

It seems like what's on the very few gaming-related hacker blogs, or hacker-related gaming blogs, is .001% of what's actually going on. It frustrates me that there's no open dialogue about this in the game development world. I'm sure Blizzard has a good security team on staff (or I would if I were them), but they're not talking to the rest of us.

So how does the industry start learning from itself?