Table Of ContentP G :
ROTECTING AMES
A S H
ECURITY ANDBOOK
G D
FOR AME EVELOPERS AND
P
UBLISHERS
S B. D
TEVEN AVIS
Charles River Media
A part of Course Technology, Cengage Learning
Australia, Brazil, Japan, Korea, Mexico, Singapore, Spain, United Kingdom, United States
PROTECTINGGAMES: A SECURITYHANDBOOK © 2008 IT GlobalSecure, Inc.
FORGAMEDEVELOPERSANDPUBLISHERS
STEVENB. DAVIS ALL RIGHTS RESERVED. No part of this work covered by
the copyright herein may be reproduced, transmitted,
Publisher and General Manager, stored, or used in any form or by any means graphic,
electronic, or mechanical, including but not limited to
Course Technology PTR:Stacy L. Hiquet
photocopying, recording, scanning, digitizing, taping, Web
distribution, information networks, or information storage
Associate Director of Marketing:Sarah Panella and retrieval systems, except as permitted under Section
107 or 108 of the 1976 United States Copyright Act, without
Manager of Editorial Services:Heather Talbot the prior written permission of the publisher.
Marketing Manager: Jordan Casey
For product information and technology assistance,
Senior Acquisitions Editor:Emi Smith contact us at
Project/Copy Editor:Kezia Endsley Cengage Learning Customer and Sales Support,
1-800-354-9706
PTR Editorial Services Coordinator:Jen Blaney
For permission to use material from this text or
product, submit all requests online at
Interior Layout:Shawn Morningstar cengage.com/permissions
Cover Designer:Mike Tanamachi Further permissions questions can be emailed to
permissionrequest@cengage.com
Indexer: Valerie Haynes Perry
Proofreader:Ruth Saavedra
Material in this book may include discussion regarding is-
sues reported in the public media and public legal system re-
The information contained in this publication is garding services, products, and other material that may be
not intended to convey or constitute legal advice subject to laws granting copyright protection. These issues
on any subject matter. Readers should not rely on are discussed for illustrative purposes only and the facts pre-
the information presented in this publication for sented are limited to that purpose. Those wishing to seek
any purpose without seeking the legal advice on further information about any illustrative point discussed
the specific facts and circumstances at issue from a are encouraged to engage further research.
licensed attorney. Readers should not consider
All trademarks are the property of their respective owners.
the information presented in this publication to be
an invitation for an attorney-client relationship, Library of Congress Control Number: 2008932480
and providing the information in this publication is ISBN-13: 978-1-58450-670-6
not intended to create an attorney-client relation-
ISBN-10: 1-58450-670-9
ship between you and any author or contributor to
eISBN-10: 1-58450-687-3
this publication. The information in this publica-
tion contains general information that is intended, Course Technology, a part of Cengage Learning
but cannot be guaranteed, to be always up-to-date, 20 Channel Center Street
Boston, MA 02210
complete and accurate. Any representation or war-
USA
ranty that might be otherwise implied is expressly
disclaimed. The authors and contributors expressly Cengage Learning is a leading provider of customized
learning solutions with office locations around the globe,
disclaim all liability or responsibility in respect to
including Singapore, the United Kingdom, Australia,
actions taken or not taken based on any or all of Mexico, Brazil, and Japan. Locate your local office at:
the information contained in this publication. international.cengage.com/region
Cengage Learning products are represented in Canada by
Nelson Education, Ltd.
Printed in the United States of America
For your lifelong learning solutions, visit courseptr.com
1 2 3 4 5 6 7 12 11 10 09 Visit our corporate website at cengage.com
For my parents, sisters, family, friends, teachers, and colleagues.
Thank you for your patience.
Acknowledgments
First, I would like to thank Emi Smith, Kezia Endsley, and the team at Cengage
Learning for taking the chance to publish a book on game security.
Thank you to my readers at PlayNoEvil.com who, through their interest and
engagement, have sustained me through the past several years.
Thank you to Cheryl Campbell, my great friend and business partner for over
10 years at IT GlobalSecure and also my tireless editor.
A special thank you to Joseph Price and Marcus Eikenberry, for their contri-
butions to this book.
Thank you to Adam Martin, Pierre Laliberte, Alexandre Major, Marc-André
Hamelin, and the other industry professionals who provided invaluable editorial
input to the book.
Thank you to Richard Davis and Eleanor Lewis for their editorial help.
Thank you to my teachers, mentors, friends, and colleagues at the National
Security Agency (especially my coworkers in R56, V6, and C7) who instilled in me
a passion for the security field and an appreciation for how security “fits” in to the
rest of the world. Specifically, Mark U., Brian S., Tim W., Bill M., Cecil S., Sid G.,
Tanina G., Bill U., Nancy G., Jim A., Ed G., Ed D., Robert W., Bob D., and many
others.
Finally, thank you to the game industry and gaming industry professionals who
have welcomed a strange “security guy” into their midst.
Although many people have contributed, the final responsibility for the form,
style, content, and everything else related to this work is ultimately mine.
iv
About the Author
Steven Davishas over 22 years of IT and IT security expertise and has focused on
the security issues of the gaming industry for more than a decade. He advises game
companies, governments, and regulators around the world. Mr. Davis has written
numerous papers and speaks at conferences on all aspects of game security. He is
the author of the game security and industry blog, PlayNoEvil (http://www.
playnoevil.com/).
Mr. Davis has international patents on game security and IT security tech-
niques, most notably the anti-cheating protocols that underlie the SecurePlay
(http://www.secureplay.com) anti-cheating library. He has designed several games,
including DiceHoldem (http://www.diceholdem.com), and acts as a design con-
sultant.
He is the CEO of IT GlobalSecure (http://www.itglobalsecure.com), which
develops game security products and provides game security, IT security, and game
design and evaluation services. Mr. Davis’ experience includes security leadership
positions at the U.S. National Security Agency (NSA), CSC, Bell Atlantic (now
Verizon), and SAIC. He has extensive cryptographic and key management design
experience, including work on Nuclear Command and Control systems, the
Electronic Key Management System, and numerous other commercial and
government projects. Mr. Davis has a BA in Mathematics from UC Berkeley and a
Masters Degree in Security Policy Studies from George Washington University.
v
About the Contributors
Joseph Price is an Associate in the Antitrust and Telecommunications practice
groups at Kelley Drye & Warren LLP, with a track record of successfully represent-
ing companies in strategic mergers and acquisitions, and is especially adept at
working with companies to structure transactions and achieve business goals with
competition and antitrust issues.
With a particular expertise on counseling companies in regulated industries, Mr.
Price has helped clients protect interests threatened by consolidation in the com-
munications industry. He has obtained FTC and DOJ Antitrust Division clearance
on numerous transactions, and provides Hart-Scott-Rodino Premerger Notification
counseling, preparation, and filing on behalf of many clients, including technology-
related entities, equity funds, investment funds, and targets of investments.
Mr. Price represents clients in public and nonpublic DOJ and FTC investigations
and has served as counsel in public and nonpublic FBI, FCC, and State Attorneys
General investigations and enforcement matters, including formal and informal
administrative complaint proceedings.
Mr. Price also provides a full range of legal services for clients that provide tech-
nology and broadband services. He works to assist clients achieve business goals,
whether they involve access to cutting-edge technologies, growth of market share,
product development, or expansion of distribution channels.
Mr. Price speaks and writes frequently on antitrust, technology, media, tele-
communications, and network security subjects, including the Communications
Assistance for Law Enforcement Act (CALEA). His analyses have been quoted in a
variety of publications, including Wired,BoardWatch, and Light Reading.
Previously, Mr. Price served as a law clerk to Judge Edwin H. Stern of the New
Jersey Appellate Division. While earning his J.D. at Catholic University, he served
as Editor-in-Chief of the law journal, CommLaw Conspectus: Journal of Communications
Law and Policy, and received an advanced certificate from the Communications
Law Institute.
vi
About the Contributors vii
Marcus Eikenberryis a serial entrepreneur. He makes his living dealing in intangi-
ble goods and services within online video games. His companies sell huge volumes
of game registration codes and game time codes as well as providing anti-fraud
solutions for other sellers within these online gaming markets.
Back in 1990 when the Internet was just for universities and the government,
Mr. Eikenberry was doing computer hardware sales to the public. Fraud was very
rare and not something that needed much attention.
In 1993 when Mosaic hit the public, he attempted to start doing business on the
web. In 1994, he published computer hardware sales sheets and started doing mail
order sales. Because he didn’t like dealing with physical products, he looked for
other products to sell that did not require shipping. In December of 1997, he found
the perfect item to sell: intangible goods within online video games. Marcus is a
pioneer of sales of these intangible video game items and services.
Today, Mr. Eikenberry owns Markee Dragon Inc., which includes several com-
panies, including:
TrustWho (www.TrustWho.com)—Anti-fraud services providing transaction
processing and payment verification for companies experiencing high fraud
rates.
Markee Dragon (www.MarkeeDragon.com)—The largest site in the world for
the buying, selling, and trading of online game accounts. It is estimated that
over 2.5 million dollars worth of accounts and services trade hands in this site’s
forums monthly without any charges to the members.
Shattered Crystal (www.ShatteredCrystal.com)—Where new game codes, up-
grades, and game time have been sold to several hundred thousand satisfied
customers since 2002.
Contents
Introduction xv
Part I The Protection Game 1
1 Game Security Overview 2
What Is Game Security? 3
References 5
2 Thinking Game Protection 6
Independence 7
Lazy, Cheap, or Stupid 8
Threats, Vulnerabilities, and Risk 12
Beyond Protect, Detect, React 13
Asymmetric Warfare 15
Process, Testing, Tools, and Techniques 17
Second Grader Security 19
References 20
Part II Piracy and Used Games 21
3 Overview of Piracy and Used Games 22
4 The State of Piracy and Anti-Piracy 23
Determining the Scope of Piracy 24
Trusted Brand Security: Nintendo and ADV 28
Anti-Piracy Innovators: Nine Inch Nails and Disney 29
Going Forward 30
References 31
5 Distribution Piracy 32
Preventing Duplication 32
Detecting Duplication 33
Collectables, Feelies, and Other Stuff 34
Disk as Key 34
License Keys 35
viii
Contents ix
Splitting and Key Storage 39
Busted Pirate: Now What? 42
References 43
6 DRM, Licensing, Policies, and Region Coding 44
The Basics of DRM 44
Why DRM Doesn’t Work 45
Types of DRM Systems 46
License Policy 51
References 54
7 Console Piracy, Used Games, and Pricing 55
Attacking Consoles 55
The Used Games Market 60
Pricing Pirates Out of Business 62
References 65
Server Piracy Trends 66
8 Server Piracy 66
Authenticating the Server 70
References 74
9 Other Strategies, Tactics, and Thoughts 75
Measuring Piracy 75
Fighting Pirate Networks 76
Multi-Player Gaming 79
Rich Interaction System 79
Digital Affiliate System 84
Playing with Secure Digital Distribution 87
References 91
10 Anti-Piracy Bill of Rights 92
Basic Fair Use Principles 93
Registration Options 94
Installation Options 95
Connection Options 95
References 96
11 The Piracy Tipping Point 97
Determining the Goal of Anti-Piracy Policies 97
References 99
