Video games reveal software security issues, expert says
McGraw, chief technology officer at security consulting firm Cigital and author of Exploiting Online Games, talked with Forbes.com about how videogames model the future of software security issues.
Forbes.com: What is the big security threat in videogames?
Gary McGraw: Games are the world's biggest, most populous, most distributed systems. What we're talking about is a big giant glob of client software that every subscriber has [on his PC] that has a lot of the game functionality. If the gamer is a bad guy, you just gave them part of your functionality to screw around with.
This is what technical people call the problem of trust boundaries.
Forbes.com:What problem do these trust boundaries pose?
Gary McGraw:In this case, the gamer is the attacker and what they're doing is cheating in the virtual world to generate wealth that they can sell in a middle market. In "World of Warcraft," when you wander around … it turns out that the information about where your character is in the world is just X, Y and Z coordinates controlled by your PC. If you're a clever attacker you can actually change those numbers on your PC [to] teleport around the virtual world. That's just an example. Hacker boys discovered about four years ago that you could make money by cheating and the law is very ambiguous about whether it is actually illegal.
Forbes.com:How are games a harbinger of the future of software security?
Gary McGraw:We can look at what is happening in online games as a bellwether for the sorts of attacks that we're going to see in much more important software systems coming down the line.
We can study these games and play around and figure out how hackers cheat and how they do things like teleport around the world and generate virtual wealth, and we can learn really important lessons for the future of software security at the same time.
Forbes.com:Can you provide an example?
Gary McGraw:In a [Department of Defense] situation, the entire network is going to be a trusted network. It changes the threat model pretty significantly. Going after the control system for drones would be rather silly. What you would want to go after--to really cause havoc--would be back-end office systems, things that get the food to the guys in Iraq.
Forbes.com:Do games present a solution?
Gary McGraw:The vertical that is leading the charge is not games, it's the financial industry. If you look at investment banks, Wall Street, the credit card consortia--those guys have been very much concerned with designing systems to resist attacks from the ground up.
Forbes.com:So how do games link up with financial systems?
Gary McGraw:Their technology stack is the future here today. They're already doing massively distributed systems. As financial service systems become massively distributed systems, they're going to look more like games than they do today. The [financial industry] is ahead in their thinking about software security, but they're not at the technical edge of where the game companies are.
Forbes.com:How are game companies affected by people hacking into these systems?
Gary McGraw:There are some games where people actually stopped playing because cheating got so rampant. Everybody was cheating and pretty soon if you weren't cheating it wasn't fun. Cheating can also break the economy of a game.
Forbes.com:Will game companies adopt the financial service industry's security measures?
Gary McGraw:Yes, and in fact they are.
From a sociological perspective, you probably have to have some cheating in a game because there are a lot of people who want to play the game but they don't want to "live" the game. So you need some level of corruption and graft in the system to satisfy those people. The real question is, how much of that is necessary? Clearly if you look at the real world there is crime, corruption and graft and that keeps the skids greased. We could wipe out all crime, but the world would be a police state.
The real answer is not to eradicate all cheating and adopt all sorts of Draconian software security but to do just the right amount so that everybody is not cheating. It's a balance. Security will become a differentiator in the marketplace that it isn't now.