P G : ROTECTING AMES A S H ECURITY ANDBOOK G D FOR AME EVELOPERS AND P UBLISHERS S B. D TEVEN AVIS Charles River Media A part of Course Technology, Cengage Learning Australia, Brazil, Japan, Korea, Mexico, Singapore, Spain, United Kingdom, United States PROTECTINGGAMES: A SECURITYHANDBOOK © 2008 IT GlobalSecure, Inc. FORGAMEDEVELOPERSANDPUBLISHERS STEVENB. DAVIS ALL RIGHTS RESERVED. No part of this work covered by the copyright herein may be reproduced, transmitted, Publisher and General Manager, stored, or used in any form or by any means graphic, electronic, or mechanical, including but not limited to Course Technology PTR:Stacy L. Hiquet photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage Associate Director of Marketing:Sarah Panella and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without Manager of Editorial Services:Heather Talbot the prior written permission of the publisher. Marketing Manager: Jordan Casey For product information and technology assistance, Senior Acquisitions Editor:Emi Smith contact us at Project/Copy Editor:Kezia Endsley Cengage Learning Customer and Sales Support, 1-800-354-9706 PTR Editorial Services Coordinator:Jen Blaney For permission to use material from this text or product, submit all requests online at Interior Layout:Shawn Morningstar cengage.com/permissions Cover Designer:Mike Tanamachi Further permissions questions can be emailed to [email protected] Indexer: Valerie Haynes Perry Proofreader:Ruth Saavedra Material in this book may include discussion regarding is- sues reported in the public media and public legal system re- The information contained in this publication is garding services, products, and other material that may be not intended to convey or constitute legal advice subject to laws granting copyright protection. These issues on any subject matter. Readers should not rely on are discussed for illustrative purposes only and the facts pre- the information presented in this publication for sented are limited to that purpose. Those wishing to seek any purpose without seeking the legal advice on further information about any illustrative point discussed the specific facts and circumstances at issue from a are encouraged to engage further research. licensed attorney. Readers should not consider All trademarks are the property of their respective owners. the information presented in this publication to be an invitation for an attorney-client relationship, Library of Congress Control Number: 2008932480 and providing the information in this publication is ISBN-13: 978-1-58450-670-6 not intended to create an attorney-client relation- ISBN-10: 1-58450-670-9 ship between you and any author or contributor to eISBN-10: 1-58450-687-3 this publication. The information in this publica- tion contains general information that is intended, Course Technology, a part of Cengage Learning but cannot be guaranteed, to be always up-to-date, 20 Channel Center Street Boston, MA 02210 complete and accurate. Any representation or war- USA ranty that might be otherwise implied is expressly disclaimed. The authors and contributors expressly Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, disclaim all liability or responsibility in respect to including Singapore, the United Kingdom, Australia, actions taken or not taken based on any or all of Mexico, Brazil, and Japan. Locate your local office at: the information contained in this publication. international.cengage.com/region Cengage Learning products are represented in Canada by Nelson Education, Ltd. Printed in the United States of America For your lifelong learning solutions, visit courseptr.com 1 2 3 4 5 6 7 12 11 10 09 Visit our corporate website at cengage.com For my parents, sisters, family, friends, teachers, and colleagues. Thank you for your patience. Acknowledgments First, I would like to thank Emi Smith, Kezia Endsley, and the team at Cengage Learning for taking the chance to publish a book on game security. Thank you to my readers at PlayNoEvil.com who, through their interest and engagement, have sustained me through the past several years. Thank you to Cheryl Campbell, my great friend and business partner for over 10 years at IT GlobalSecure and also my tireless editor. A special thank you to Joseph Price and Marcus Eikenberry, for their contri- butions to this book. Thank you to Adam Martin, Pierre Laliberte, Alexandre Major, Marc-André Hamelin, and the other industry professionals who provided invaluable editorial input to the book. Thank you to Richard Davis and Eleanor Lewis for their editorial help. Thank you to my teachers, mentors, friends, and colleagues at the National Security Agency (especially my coworkers in R56, V6, and C7) who instilled in me a passion for the security field and an appreciation for how security “fits” in to the rest of the world. Specifically, Mark U., Brian S., Tim W., Bill M., Cecil S., Sid G., Tanina G., Bill U., Nancy G., Jim A., Ed G., Ed D., Robert W., Bob D., and many others. Finally, thank you to the game industry and gaming industry professionals who have welcomed a strange “security guy” into their midst. Although many people have contributed, the final responsibility for the form, style, content, and everything else related to this work is ultimately mine. iv About the Author Steven Davishas over 22 years of IT and IT security expertise and has focused on the security issues of the gaming industry for more than a decade. He advises game companies, governments, and regulators around the world. Mr. Davis has written numerous papers and speaks at conferences on all aspects of game security. He is the author of the game security and industry blog, PlayNoEvil (http://www. playnoevil.com/). Mr. Davis has international patents on game security and IT security tech- niques, most notably the anti-cheating protocols that underlie the SecurePlay (http://www.secureplay.com) anti-cheating library. He has designed several games, including DiceHoldem (http://www.diceholdem.com), and acts as a design con- sultant. He is the CEO of IT GlobalSecure (http://www.itglobalsecure.com), which develops game security products and provides game security, IT security, and game design and evaluation services. Mr. Davis’ experience includes security leadership positions at the U.S. National Security Agency (NSA), CSC, Bell Atlantic (now Verizon), and SAIC. He has extensive cryptographic and key management design experience, including work on Nuclear Command and Control systems, the Electronic Key Management System, and numerous other commercial and government projects. Mr. Davis has a BA in Mathematics from UC Berkeley and a Masters Degree in Security Policy Studies from George Washington University. v About the Contributors Joseph Price is an Associate in the Antitrust and Telecommunications practice groups at Kelley Drye & Warren LLP, with a track record of successfully represent- ing companies in strategic mergers and acquisitions, and is especially adept at working with companies to structure transactions and achieve business goals with competition and antitrust issues. With a particular expertise on counseling companies in regulated industries, Mr. Price has helped clients protect interests threatened by consolidation in the com- munications industry. He has obtained FTC and DOJ Antitrust Division clearance on numerous transactions, and provides Hart-Scott-Rodino Premerger Notification counseling, preparation, and filing on behalf of many clients, including technology- related entities, equity funds, investment funds, and targets of investments. Mr. Price represents clients in public and nonpublic DOJ and FTC investigations and has served as counsel in public and nonpublic FBI, FCC, and State Attorneys General investigations and enforcement matters, including formal and informal administrative complaint proceedings. Mr. Price also provides a full range of legal services for clients that provide tech- nology and broadband services. He works to assist clients achieve business goals, whether they involve access to cutting-edge technologies, growth of market share, product development, or expansion of distribution channels. Mr. Price speaks and writes frequently on antitrust, technology, media, tele- communications, and network security subjects, including the Communications Assistance for Law Enforcement Act (CALEA). His analyses have been quoted in a variety of publications, including Wired,BoardWatch, and Light Reading. Previously, Mr. Price served as a law clerk to Judge Edwin H. Stern of the New Jersey Appellate Division. While earning his J.D. at Catholic University, he served as Editor-in-Chief of the law journal, CommLaw Conspectus: Journal of Communications Law and Policy, and received an advanced certificate from the Communications Law Institute. vi About the Contributors vii Marcus Eikenberryis a serial entrepreneur. He makes his living dealing in intangi- ble goods and services within online video games. His companies sell huge volumes of game registration codes and game time codes as well as providing anti-fraud solutions for other sellers within these online gaming markets. Back in 1990 when the Internet was just for universities and the government, Mr. Eikenberry was doing computer hardware sales to the public. Fraud was very rare and not something that needed much attention. In 1993 when Mosaic hit the public, he attempted to start doing business on the web. In 1994, he published computer hardware sales sheets and started doing mail order sales. Because he didn’t like dealing with physical products, he looked for other products to sell that did not require shipping. In December of 1997, he found the perfect item to sell: intangible goods within online video games. Marcus is a pioneer of sales of these intangible video game items and services. Today, Mr. Eikenberry owns Markee Dragon Inc., which includes several com- panies, including: TrustWho (www.TrustWho.com)—Anti-fraud services providing transaction processing and payment verification for companies experiencing high fraud rates. Markee Dragon (www.MarkeeDragon.com)—The largest site in the world for the buying, selling, and trading of online game accounts. It is estimated that over 2.5 million dollars worth of accounts and services trade hands in this site’s forums monthly without any charges to the members. Shattered Crystal (www.ShatteredCrystal.com)—Where new game codes, up- grades, and game time have been sold to several hundred thousand satisfied customers since 2002. Contents Introduction xv Part I The Protection Game 1 1 Game Security Overview 2 What Is Game Security? 3 References 5 2 Thinking Game Protection 6 Independence 7 Lazy, Cheap, or Stupid 8 Threats, Vulnerabilities, and Risk 12 Beyond Protect, Detect, React 13 Asymmetric Warfare 15 Process, Testing, Tools, and Techniques 17 Second Grader Security 19 References 20 Part II Piracy and Used Games 21 3 Overview of Piracy and Used Games 22 4 The State of Piracy and Anti-Piracy 23 Determining the Scope of Piracy 24 Trusted Brand Security: Nintendo and ADV 28 Anti-Piracy Innovators: Nine Inch Nails and Disney 29 Going Forward 30 References 31 5 Distribution Piracy 32 Preventing Duplication 32 Detecting Duplication 33 Collectables, Feelies, and Other Stuff 34 Disk as Key 34 License Keys 35 viii Contents ix Splitting and Key Storage 39 Busted Pirate: Now What? 42 References 43 6 DRM, Licensing, Policies, and Region Coding 44 The Basics of DRM 44 Why DRM Doesn’t Work 45 Types of DRM Systems 46 License Policy 51 References 54 7 Console Piracy, Used Games, and Pricing 55 Attacking Consoles 55 The Used Games Market 60 Pricing Pirates Out of Business 62 References 65 Server Piracy Trends 66 8 Server Piracy 66 Authenticating the Server 70 References 74 9 Other Strategies, Tactics, and Thoughts 75 Measuring Piracy 75 Fighting Pirate Networks 76 Multi-Player Gaming 79 Rich Interaction System 79 Digital Affiliate System 84 Playing with Secure Digital Distribution 87 References 91 10 Anti-Piracy Bill of Rights 92 Basic Fair Use Principles 93 Registration Options 94 Installation Options 95 Connection Options 95 References 96 11 The Piracy Tipping Point 97 Determining the Goal of Anti-Piracy Policies 97 References 99