Computer security has always had a law enforcement aspect, but the law consistently lags behind the technical cutting edge. Recent advancements in software design and the advent of geographically distributed applications puts the law even further behind than usual. The time has come to rethink computer security law in light of advances in software architecture.
Game's creators say hackers aid online cheating
Two Mt. Lebanon computer experts who have altered the balance of power in an imaginary world called Evony are now the subject of a lawsuit that could bring online empire-building to a federal courtroom.
New York City-based Evony LLC and Regan Mercantile, which created and ran the copyrighted game Evony, said in a complaint filed Tuesday that Philip and Jimmy Holland, of Xandium Studios, have corrupted their world using tip maps, programs called bots, and even an alternative universe that snatches players. Rather than being an imaginary world in which hard work, strategy -- and occasional payments to the world's creator -- are the keys to success, Evony now unwillingly hosts cheaters that can develop forts and towns with superhuman speed.
"Exploration of the Evony Game environment, gathering of resources, construction of buildings and expansion of power is a time consuming commitment for players," said the complaint filed in the Western District of U.S. District Court by Downtown attorney Eric G. Soller. "The gaming experience of legitimate Evony Game players is unfortunately compromised by cheaters and hackers who seek to exploit the Evony Game for their own illegitimate goals."
Evony claims 18 million players, who navigate a Medieval-type landscape, finding resources like gold, wood and stone, and building forts and towns. Its once-ubiquitous online ads, many featuring buxom maidens, cost $12 million since 2009, the complaint said.
Playing is free, but if you want quicker results, you pay.
Evony "was extremely popular for a time," peaking in mid-2009, according to George Vanous, president and CEO of TGN Game Communities Inc., which runs a gaming site at www.tgn.tv. "It hasn't maintained its popularity, but it's still one of the most successful games," with probably 1 million to 2 million active users, he said.
That may well be enough to make the game profitable, he said. And to those users, the game world is a community.
"A lot of people, once you get involved in the game, you make friends, you create alliances, you join up with other players to do something as a team," Mr. Vanous said.
Artifice in an artificial world, he said, can be deeply upsetting. Gamers get mad when automated "bots" perform actions that players are supposed to do manually, or when some players benefit from maps and other data mined by hackers from a game's servers. Game companies try to prevent such intrusions, and shut down the accounts of users who cheat, he said -- but suing alleged hackers is unusual.
Evony claims that Xandium Studios has created an alternative called "Evony Second Opinion" that copies their world. It said their intelligence gathering program "clogs" the Evony servers, slowing the game down. And it said Xandium charges $3 to $100 a month for its various Evony-related products.
Neither Xandium Studios nor Evony could be reached for comment.
The lawsuit said that Evony's creators have, for a year, tried to get Xandium and its website host to take down www.xandiumstudios.net. It was still up Wednesday, and it acknowledged Evony's latest demands, but noted that "Evony's not going to stop us."
Breaking the rules of a game, it added, "is not a violation of the law."
Exploiting Online Games Is Legal?
At the eCrime Researcher's Summit 2007, academics and law enforcement gathered in Pittsburgh to discuss spam, phishing, and massively distributed applications.
One interesting aspect of online games is the legal limbo they inhabit when it comes to security. Put simply, the state of computer law regarding cheating in online games is murky at best. Nobody is sure what is legal and, more importantly, what is not.
The problem is that it's possible to convert hacking skills into money by conjuring up virtual items in a game, either by exploiting a bug or by creating and using a bot. These exploits can then be sold in a burgeoning online market.
Malicious hackers have flocked to the online game domain because there is money to be made. Due to the sheer size of the middle market, the U.S. Secret Service acknowledges that online games such as Second Life and World of Warcraft have been used to launder money.
In addition, it is possible to cheat by manipulating the parts of a massively distributed online game that exist on your own PC. That is, the game client program on a gamer's PC interacts with the central game servers over the Internet, and cheating can be accomplished without any network security shenanigans by focusing attacks on the client software.
By attaching a debugger to the game program on the PC, or by manipulating the game program by poking memory values directly on the PC, a gamer can cheat... on his or her own PC.
Think about the old game hacking chestnut that involved editing a high score file on your PC to make your Tetris score seemingly untouchable. There's nothing illegal about that! The question is where to draw the legal line when it comes to manipulating things on your own PC. If parts of a massively distributed online game reside on a PC, can you change them? What's at stake is virtual property – and lots of money. The whole notion of virtual property rights in online games is a tricky one. Games such as Ultima Online, Second Life, and World of Warcraft have their own virtual economies that involve licensing and developing virtual property. Middle market companies like IGE can convert virtual wealth into hard currency.
Property rights in Second Life have already led to interesting legal entanglements. Marc Bragg, a Pennsylvania lawyer, discovered and exploited a bug in Second Life program allowing him to bid on virtual real estate that wasn't yet open for auction. By URL parameter tampering, Bragg became a virtual real estate baron. Linden Labs, the game company behind Second Life, took a dim view of this approach and canceled his account.
In a pending lawsuit, Bragg argues that Linden Labs unfairly confiscated $8,000 worth of his virtual land holdings by shutting down his account. But Linden Labs and some Second Life players counter that Bragg was hacking their systems. (Bragg made money by renting his virtual land to other Second Life players.) Who is right? To me, the law is not very clear.
When Linden Labs first started, they used to say that users owned property in Second Life. Now they say that users own licenses to the property, legally similar to software licenses in the real world. That's a subtle but important change in perspective – and it doesn't make the legal situation any clearer.
That brings us to the infamous End User License Agreement (EULA). The DMCA and the EULA are the two main legal weapons in the game companies' anti-cheating arsenal. However, EULAs have a spotty track record when it comes to the law. In many cases, EULA terms "agreed to" by software users have not held up in court.
Some people believe the idea of EULAs has not been appropriately tested in court, thus the EULAs can't be valid. This is a misunderstanding of contract law. The only way EULAs have been challenged successfully in the past is by objecting to the contract terms. In some cases, only certain terms are found objectionable. As a result, EULAs sometimes hold up in court – and sometimes don’t.
Ultimately, the state of the law and its application to online game security is unclear. Because of the amount of money involved in online games, this legal limbo is a bad situation.
The Law Must Evolve
If you believe, as I do, that online games are a harbinger of computer security attacks that may evolve along with SOA, software as a service, and Web 2.0 architectures, you can see the legal problem that we're creating for ourselves. (See Online Games to Cause Software Security Issues.)
The kinds of legal tangles we see today in online games are the same kinds of legal tangles we're likely to encounter in other domains. If a system includes critical functionality that runs on machines that belong to others (including potential attackers), it is not at all obvious how the law is to be applied or when. The law is once again in catch up mode when it comes to computer security.
Credits: DarkReading, Post Gazette
Tidak ada komentar:
Posting Komentar