PlayNoEvil Game Security News & Analysis

What does it take to protect kids online? Lane Merrifield, co-founder of Club Penguin, states in an interview with GamesIndustry.biz, that the company employs 100 real-time moderators and typically adds 500 to 1000 words to its filters a day (new slang) to support their population of 12 million users and 700,000 paying subscribers (at $5.95 per month or $57.95 per year - at time of their acquisition by Disney last summer - via VentureBeat and at 15 million registered users as of January 2008 via Kzero). SIDE NOTE - I guess the Price to Sales ratio was around 10.7 to 1(!).

So, if you have 24x7 monitoring, that means 5 real people per "live" moderator, so that is 20 live moderators at any given time.

Not too many people, actually.

Alas, no data on Average Concurrent Users, but the overall ration of 15 million total to 100 moderators is quite lean (say the active user ratio is 1 in 10, then the population is closer to 1.5 million to 100 or 1 moderator for 15,000 kids!... if one takes this down to 1 in 100, then there is 1 moderator per 1500 children which still is pretty low).

Club Penguin does have a restricted communications mode (see previous article) that only allows players to build phrases from a pre-screened vocabulary list, these players don't create any monitoring "load" except for physical griefing (which, hopefully, Club Penguin's game and interaction design precludes).

Or, conversely, each moderator is adding 5 to 10 words per day... amongst other tasks.

The article also notes that 2/3 of the total staff is moderators, so this would imply a total team size of 150?

Pretty lean. for $65 Million in revenues and $35 Million in profit (so, $30 Million in costs staff, space, servers, and such - projections for 2007 via TechCrunch).

Chris Taylor of Gas Powered Games was quoted at GDC as saying "PC gaming isn't dead. PC gaming — the old model — probably is. Secure PC gaming is the future — it's going to thrive and we've all got to get on that."

But, this week, EA announced rather draconian security for Mass Effect and Spore with server authentication required every 10 days via Sony's SecuROM product, according to Kotaku and others.

It is worth noting that Apple's success with iTunes is based as much on ease of use and reasonable prices as its FairPlay DRM system which has been regularly broken.

Maybe simply lowering prices would be better security. After all, the "Free to Play" business model online is drawing in more and more players to games by lowering the cost to play.

Look at all the debit cards available at supermarkets - impulse purchasing is powerful. If games cost what a paperback does, how many more would be sold?

If gaming is as "mass market" as everyone alleges it is, lower prices will make reaching that audience easier... and make piracy less appealing.

Also, if developers think this way, they can divide the game into a $10 (or $5 or $8) module sold at retail and then add downloadable content (DLC) as Guitar Hero and Rock Band have shown. Even better, this additional content would come with a direct customer relationship AND no revenue share with a retailer.

... ADDED GREEN GAMING BENEFIT - we could get rid of those stupid boxes that don't hold manuals anymore and just have nice little slip covers for disks.

Make games an impulse entertainment purchase, not an investment.

Turn up the Irony Meter to 11. After all, with all of the complaints in the US about gold farming, it takes the Chinese to stand up and do something about it.

Yep, police in China has arrested 2 men for running a World of Warcraft gold farming operation and charged them with "unfair revenue distribution" (CHINESE READER ALERT - what in the world is "unfair revenue distribution"?).

The two men ran the operation for 7 months and earned 1.4 Million RMB (just over US$200,000). They had 20 computers and 20 employees (no shifts, I guess) and were based in Chengdu's Shuangliu county. The men were targeting The9's China-based World of Warcraft operation... I'm not sure if this makes their revenue more impressive or not.

(Chengdu Evening News via Pacific Epoch)

Hacking on the Wii just got a lot worse with digital piracy of WiiWare games. Hackers have apparently demonstrated (see video below) the ability to use the existing "Twilight Hack", a Save Game hack, to launch Japanese WiiWare titles without paying for them. The attack looks particularly serious as it seems to access Wii functionality (not just Gamecube features) as had been demonstrated previously.



This could be a real threat to Nintendo as WiiWare is already shaping up to be a great tool to remonetize old games. Also, it could be a threat to Nintendo's efforts to reach out to independent developers.

The next step in this attack would be to spoof a full Wii game via the SD interface (or other port) using this hack or something similar.

If Nintendo or any of its partners start utilizing online features more seriously, this style of attack would likely be useful for abusing achievements and persistent play features (as has already been seen with Xbox Live).

The bane of the next-gen consoles seems to be their "Save Game" systems.

What is unfortunate is that these types of problems CAN BE ADDRESSED via intelligent use of cryptography. Interestingly, traditional digital signatures are not necessarily the right answer.

The question is whether the vulnerabilities are deeply ingrained in the platform or if they can be addressed via a firmware / OS upgrade. I suspect that the problem will be difficult to really clean out as it is highly likely that developers are not using the Save Game services uniformly.

The Wii does have an advantage over Sony's PSP (potentially) - while the PSP had security problems, it was not selling many games, but the Wii is selling games pretty well, especially if WiiWare is included (though I don't know if a WiiWare game can be used to push an OS upgrade).... unless a downgrader can be created, of course

(via Wiifanboy via Joystiq)

Its official. 2008 is the year to complain about PC piracy. TG Daily reports that Epic Software claimed their were 40 million attempts to authenticate invalid license keys for Unreal Tournament 3 (via videogaming247). CORRECTION - Apparently, Mark Rein did not claim 40 million attempts, but simply "lots". (via Videogaming247)

This is an odd proof of piracy. Instead, it would seem to imply the effectiveness of Epic's anti-piracy technology. After all, these guys were all detected.

What would be interesting (but, sadly, unlikely to ever be disclosed) is how many license keys WERE validated compared to how many PC games sold.

That would be a better measure of the failure of the anti-piracy system.

OR, if there was a known attack that allowed pirates to bypass the license validation system.

So, the only metric given, detected invalid license keys, is the worst metric for modeling piracy.

The TG Daily article focuses on Crytek's Crysis which is apparently suffering widespread piracy as well (see interview at PC Play). The Crytek's CEO, Cevat Yerli, argues that a console version of the game would sell 4-5 times as many copies (the game has apparently sold around 1 million copies according to Next Generation). But is abandoning its PC exclusive strategy.

The numbers here puzzle me.

Let's assume a console title can sell 4 to 5 times as many copies as a PC one.

How much more does a developer actually take home?

And, how much more does it cost?

And, what if the game doesn't do so well?

The fixed development costs for a PC game are definitely lower. Cheaper tools, more plentiful programmers, no "dev kits", no royalties to the platform manufacturer.

The break-even cost for the game is much lower. It has to be.

Also, of course, console games get pirated. Fairly routinely. And console games don't have a license key that allows you to detect fake copies... so, unlike a PC, you don't know how many sales you are losing.

Oh, and, to complete the week, EA has claimed they aren't releasing Madden for the PC because of... you guessed it, piracy (via Kotaku)

Needless to say, the PC is doing pretty well for companies that build for it. After all, there is that little game, World of Warcraft... much less Diablo which is still selling years later, Valve seems to be doing just fine with its PC focus, Stardock isn't complaining, and, of course, there are all those Korean and Chinese online games...

notice a common thread.

Yep, a strong, centralized online strategy for PC games.

Adding to the fun, the way consoles work online means that they are more vulnerable to piracy than PCs.

Winning money. There's no bigger draw in gaming.

Gambling. Big money, but lots and lots of regulation and, in many cases and places, prohibition.

Except.

When its not. If you don't pay, its a promotion or contest or sweepstakes. When there's no chance involved, its a skill game (usually). But, what if you want to have people pay and play and have a chance to win? You'd think you'd be stuck with all the rules and regulations and restrictions of a real casino.

God bless Bingo.

Ummm, literally, I guess.

The long tradition of church Bingo Nights and charitable gaming gives a way to gamble without "gambling". While the laws and regulations vary widely, this form of gaming for money is legal in many jurisdictions.

So, of course, why not take charitable gaming online?

Georgia's March of Dimes is doing just that in partnership with Game for Charity / Rezilio (see Press Release). They are running an online tournament where players pay to play with prizes provided by Delta Air Lines.

LAWYER QUESTION - Any opinion on whether players can legally participate in this from any US state?

What do you want from child protection online? If you are a parent, you want your child safe (obviously). If you are a business, you want some sort of liability protection...

What you don't want is a "money back" guarantee.

Woogi World announced that they are going to add the eGuardian service, according to Virtual World News (and elsewhere).

If I am going to look at a "child protection" or age certification service for my online game, I want liability protection. An assertion that the identity provider will accept the liability risks in case of a problem.

eGuardian's guarantee seems to be that I'll get my $29 lifetime enrollment cost back.

I'm sure that will be a comfort to a parent whose child is abused or stalked or whatever... a problem that seems to be vastly overstated, by the way.

My grumpy and cynical view of this deal is that it is basically a revenue share between eGuardian and Woogi World... Woogi World will get a percentage of the $29 for enrolling kids and that no one is ultimately terribly concerned about protecting kids. Basically, enrolling in eGuardian becomes a one-time subscription fee for Woogi World (I don't know the rest of their business model).

Too Grumpy? Too Cynical?

Oh, I did swing by Woogi World and was hard pressed to find anything about COPPA compliance, just a general "safe harbor" statement... and its privacy policy (there is a link at the bottom of the main page, but it is not the most comforting approach). The sites says they won't do any "direct" advertising for third parties (which is good) BUT... I guess direct marketing is OK.

In fact, since they are getting parents information and not the child's, Woogi World may be free to market away to the parents!