Wednesday, January 16, 2008

Interview on the state of Interactive Security

Hat tip to Slashdot. While focused on WoW I am sure SL has the same kind of vulnerabilities to be exploited. Only with real money from the beginning.

From a security perspective the main thing to learn is an important lesson about trust boundaries, state, and time. The larger these systems get the more the trust boundaries become complicated -- which machines, client software, components, etc. are to be trusted and which are not?

At this point in online game security history there are more things not to copy than to copy. For example, the idea of building a monitor for a game client that itself runs on the client PC is very silly and should not be copied. Or, when setting up a cryptographic pipe, giving a copy of the symmetric key to your potential attacker is dumb. Online games currently do both of those things.

There are plenty of technology lessons that can be learned from online games, such as how to load balance in a massive client-server system, but not really any great security lessons.

The best quote is at the end.

No comments:

Post a Comment