[MUD-Dev] Guest Voices #2: Griefing in Online Games

J C Lawrence claw at kanga.nu
Thu May 19 05:39:34 New Zealand Standard Time 2005

On Tue, 17 May 2005 12:42:20 -0400 
Paul Schwanz <pschwanz at bellsouth.net> wrote:
> J C Lawrence wrote:

>> PK crypto is a frequent suggestion for such problems but suffers from
>> two central problems:

>> There is significant reward for an inimical player to ensure that
>> their private keys are shared, and shared in a way which makes
>> accurate detection and handling exceedingly difficult/expensive.

> What if we were able to work something into the private key that gave
> the player a strong incentive not to share it?  Like, for instance,
> the credit card information against which the account is paid must be
> present along with the key in order for it to be usable?  Of course,
> this move beyond simple PK crypto, but I'm just thinking out loud.

I think that binding directly against the credit card data isn't going
to work, and in fact, can't be allowed to work by those affected.  I
think that VISA and the other charge companies would have a fit over the
increased fraud risks, that service competitors would raise a personal
privacy/information stink, and that customers would absolutely hate the
idea of a) their credit card number being stored directly on their PCs
and thus in threat of exposure, or b) of having to constantly re-enter
it for verification instead.

Perhaps some of the other list members know this one, I don't, but what
would you estimate the percentage is of gaming systems that are used to
play our games that are also compromised, members of zombie networks,
etc etc etc?  I'd be quite unsurprised if it were well into double digit
percentages.  Last I checked (and it has been a while since I tracked
this area), the majority of zombie networks are not used for exploiting
extracted personal information, but instead for corporate blackmail (eg
pay us $XX,XXXX or we'll DoS you off the 'net) and other simple
hands-off long-distance criminality.  Simply, the value isn't there and
the builders of the zombie networks can't afford the home PC users they
exploit to get too heavily concerned about system security.  Should
popular systems, such as games, significantly increase the exposure of
credit card numbers and auth data on compromised PCs, I expect that
could change the value dynamics for the zombie networks.  It could
become sufficiently profitable to start exploiting financial data from
zombie systems.  A statistically spread low value tapping of credit card
data from zombies would be awfully hard for the credit card companies to
detect, and given how easily a market for such transactions might be
created, damned difficult to contain.  Self-defeating for the zombie
builders over the long term of course, but by that point the current
operators of the zombies will be long gone.  There are enough of them to
safely assume that the small and marginal corners of the zombie ecology
will be filled.

Now should the credit card companies get properly into the business of
identity services, something I know they are thinking about, this can
all change.  But that's some years out at best.

J C Lawrence                        They said, "You have a blue guitar,
---------(*)                        You do not play things as they are."
claw at kanga.nu                       The man replied, "Things as they are
http://www.kanga.nu/~claw/          Are changed upon the blue guitar."

MUD-Dev mailing list
MUD-Dev at kanga.nu

More information about the MUD-Dev mailing list