How to rescue orcs and spaceships

Hello, my name is Scott, and I'm a gamer. Sometimes it keeps me up way too late at night, but I care about my pretend space ships and the billions of Interstellar Kredits I've earned with them, and I'd be pissed if something happened to them.

A bit nerdy I realize, even for an information security blog, but it's true. There's no way to deny it, I do enjoy my online games. The fact is though I'm far from alone. Millions of people have been getting into one of the many massive multiplayer online games, from World of Warcraft to Second Life, from Lord of the Rings to EVE Online. Millions of people have invested incredible (some would probably say insane) numbers of hours to their wizards, pod pilots, hobbits, and a variety of other characters, constituting a huge investment of both time and money ($15 dollars a month adds up). This has become my motivation as I decided to get my GIAC Certified Incident Handler Gold certification as the focus of my practical.

I've been fascinated by the numerous security exploits in various online games. From EVE Online's database hack to Charlie Miller & Dino Dai Zovi's Second Life exploit it's interesting the unique factors that go into handling attacks in multiplayer online games. On one hand it's very much like a real economy, characters have assets, experience; money of some kind, and yet very much different (you can't exactly roll back a week of financial transactions in the real world).

As a result I've chosen to make my practical for getting my GCIH Gold certificate a study on Incident Handling in online games focused on case studies of actual handling by various game operations teams. Here's my abstract:

While generalized incident handling practices are essential to any system or network they do not always meet the needs of specialized systems. These systems have needs that go above and beyond the usual, and must be handled with unique attention to specific hosts, their functions, interactions, and overall system architecture. However in these specialized systems with similar functions there may be a way to generalize even the specialized requirements.

As massive multiplayer online gaming (MMORPG) continue to grow, through games like World of Warcraft, Second Life, and EVE Online, the amount of money being funneled into them grows as well. Where the money goes so do the criminals and as such online games are increasingly coming to light as targets for malicious attackers. Whether attacking for financial gain or to simply gain the upper hand in gameplay more and more vulnerabilities are being discovered and and exploited in online games.

MMORPGs are unique environments; worlds with their own economies and populations, players with their own experiences and assets, all of which are unique and important to the users who have invested hours upon hours into their virtual personas. This combination and complexity leads to creating vibrant and unique environments that make these games interesting to play, but also create a nightmare tradeoffs in the event that an incident handler must respond to in the event of a compromise.

This leads to a need for unique handling of incidents and thus a unique set of processes to be followed. This does not supersede the generalized handling guidelines, nor could it be completed comprehensive, but there can be a generalized incident handling guidelines for online games, a superset of generalized incident handling guidelines, such as those taught in the SANS 504 course.

To this end I would like to research and develop such a set of specialized handling guidelines, based on the proven general handling techniques from SANS, for consideration of incident handlers working on massive multiplayer online games. These will focus on the unique challenges and options available to handlers in online games, and will be based in large part from case studies of how such incidents have already been handled in current online games. Additionally it will include a survey of major online games, trying to gain as much insight as possible into how they currently structure their handling, in order to add as much real world experience into this effort as possible.

Even though it results in writing a paper and being uber-whitehat I'm kind of excited about writing this paper. Looking at attacking/defending online games is just beginning to get attention. That is somewhat surprising in itself since the online gaming industry is already doing billions in dollars yearly and continues growing. Nothing is quite as much fun as breaking new ground.

So now for you, my readers, I have a request: What are your thoughts and insights, on my abstract for my paper and on the topic in general. I'm very eager to hear what you have to say. Feel free to leave comments, send email (scott.roberts[at]vulnerableminds[dot]com), send a carrier pidgion, I'm interested to hear what you have to say.

iPh0n3: And so it begins...

From TUAW:

"iPhone enthusiasts over at the #iphone-talk and #iphone-mac channels on irc.osx86.hu have developed iPhoneInterface, a new Windows and Mac tool that allows you to manipulate the iPhone's state, launch services, and interact with the iPhone filesystem. With it, you'll be able to scan the iPhone file structure, create and remove folders, start iPhone services, and more."

I don't think anyone is really surprised that this happened I know many people who believe that Apple actually encourages this type of behavior, evidenced by the easy of cracking into the AppleTV and the numerous enhancements that followed. I don't know if I quite fall into that camp, but I do think it's inevitable that any closed system that gains interest from so many technically inclined people will not stay closed for long. I don't know if that's really a statement about security, or just common sense.

Protection/hackiblity philosophy aside I'm excited to see where this goes as I get ready to throw down my own $600 to Apple/AT&T. Take the already impressive iPhone, throw in a healthy helping of the great features you get in regular OS X, and add in some of the features found in other high end phones, and you really have a be all device. Truth be told I'd actually be reluctant to use such hacks on my main phone, but my real hope is that this kind of thing encourages Apple to open up the iPhone, add the features people have been asking for, and make it a lil hacking pad that I can also get email and make calls on.

That being said I think SSH and the ability to browse the filesystem are a must, but how about a Python interpreter or something? Flash maybe? A Safari view source option? TextMate for iPhone? Are you listening Apple? I want to be able to play next year's CTF qualifier on the Metro.

I Dvorak

The grand experiment has begun. After Steve's wonderful diatribe on his good experience with Dvorak, reading the Dvorak zine (comic book style), and after hearing the same for months from al3x, I've jumped in and taken the Dvorak plunge. Friday afternoon, sitting around Murky, I pulled out my trusty little pocket knife/bottle opener and proceeded to painstakingly scrape all the relevant letters off my iBooks keyboard.

Now I don't do well with tedious things, but taking the time to scrap each little letter off all those keys was good preparation for my first few minutes of typing. I'm not going to pretend it wasn't frustrating, because it is. Everything you've been taught, everything you've trained on, all different.

Slowly though thinks got better. I visited the Dvorak zine website and found a lot of great resources that helped me through the initial stages. First I popped onto their Downloads page and downloaded the Dvorak wallpaper, which makes for a very handy reference, especially when combined with Expose.

Now it's two weeks later.....

I'm an undisciplined slob. The wallpaper is still up, my keys are letterless, but I'm still typing QWERTY. This weekend I take another crack, hopefully getting in the practice I wasn't able to get in last time. I still need to be functional at work. Hopefully my practice this weekend will help, but with so much to do it's not really the best time to start typing like a dyslexic 3rd grader. Maybe there never is a good time though.

Any tips from anyone?

All the fun of Defcon in the palm of your hand!

No I don't mean a bottle of tequila and a iPod Shuffle filled with the DC13&14 podcasts you can find on iTunes. Nor do I mean holding hands with a stripper or carrying a roll of poker chips.

I mean Dave Aitels latest creation, Silica. Meant to be Pen Testers favorite toy, it's basically a Palm Pilot running Canvas, Aitel's Python based pentesting suite, over a Debian Linux core. Add some bonus wireless trickery, automation, and pretty graphics and you have an interesting little toy.

I'm not really sure what else to say besides the fact that this is an interesting idea. I'd like to believe it's a fairly useful and full featured system, but I'll reserve my judgement until I get hands on with one. Pity I won't be out at the RSA Conference to see it. I even got invited to the InfoSec Blogger meet up.

Chumby's for All!

Mostly:



If you haven't looked at the Chumby project it's really worth a look. Basically a bunch of Linux hackers (hackers will be used in the old Unix style, not the media given definition) decided the alarm clock needed to evolve, came up with some hardware, made it hackable, came up with some software, made it hackable, and are preparing to release it this spring.

I for one am stoaked.