Over the past 7 or so years, I've been involved with a very interesting game. It doesn't follow a standard mmo standard, and the graphics are pretty dated. Because of this, few people get into it, and those that do usually stick with it. The community is especially rare... it's hard to define. To the point, I've been GMing on the last remaining english server, and I have fixed a number of exploits in the game. Many of which were revealed by friends and my own work (sql injection in the login server, etc)... but now we're seeing something new: outsiders finding new exploits, and abusing them. The encryption is notoriously strong and quite unique in many aspects, and I have made my best efforts to keep it changing, and difficult to reverse... but what good is this to people who can manipulate packets in memory, when they are in plaintext?

I've spent so much time in games on one side of the fence, balking at the other side, looking for the cracks in the wall so that I could make my way in, the world is so different on the other side. It's always easier to break down a wall than it is to build one. So what do people think about hacking from the other side? Defending against attacks rather than finding new holes to exploit?

Interesting.

Yea no matter what encryption you use, how cryptographically secure, how many hoops you put the packets through before they are sent, from client side you can always pick them off before they hit those routines.

And I think the best security people are probably very good hackers as well.
There is an obvious dichotomy at least for the network security/hacking world.

Sure either way is fun.
I think it would be pretty simple and complete for a developer to start from the ground up to have a very secure online game if they just follow some basic principles through out the design and development.

Old topic, and I haven't been around much (hey sirmabus ), but this is my field of study so i'll throw in my 2 cents.

I'm currently close to finishing my schooling geared towards network administration with a security emphasis. Granted for the most part I've been years ahead of the course before stepping foot in it, but that's another story.

What got me interested in security, and computers in general was a collection of documents called "The Anarchists Cookbook". Now the document itself is largely rubbish, and amounts to a lot of wasted hours. But their were a lot of stories and articles related to oldschool (well... 80-90s) hacking and phreaking. Along with "The Mentor's last words".

It inspired me, not because I wanted to be malicious, but because I saw how smart, and technologically artistic these guys were. I never toyed with malicious software, and playing games did get me into reverse engineering where I learned its far more fun to play games legitamatly (at least multi-player).

However through the years I've met many amazing people on the net, and read about countless others. Most devoted IT people can do malicious things, or at least carry a theoretical conversation, as has been my personal experience.

One guy I know was arrested for dispruting malicious tools and credit card fraud in australia. Another guy I know went and broke into the Aussie-confiscated server and toyed with em.
That guy has been a rampant botnet owner and spammer for years.

When I met both around 3-4 years ago I was teaching them BASIC computers & networking and engaging in security related discussions with them.

Recently I've been in LOVE with malware. For deeply obsessed programmers, we find the many things you can make a computer do to be awesome, so we are drawn together by eachothers artwork.

Seeing things malware tends to do... its art. I'm most envious (right now) of the complexity of self propagating botnets (check out the trendmicro artical on google search "koobface botnet").


Anyways i'll cut to the chase. Bank security has only gotten better over the years, yet people still find ways to rob banks. The reason being, that no matter how secure they are able to make it, there is always a way in.

There's a few things in security to keep mind of.
Confidentiality.
Integrity.
Availability.

When you increase one, the others fall.
Make it more confidential, and you limit the availability.
Make it more avaiable and you lower the confidential and integrity portions.


CIA triangle if you want ot google it.

The skill levels behind building defense and breaking are suprisingly different these days. Especially when we are talking about windows machines. Ok, so for sake of arguement we'll assume none of your problems are public, they are done by private hackers, who aren't simple script kiddies. You may be an expert in securing, but you'll find that finding a vulnerability is not at all as easy as the analogies go. It's not easier to break something then it is to fix it. Most of the time anyways. When an attacker is dealing with a target of which he does not have access to the source code, and limited access period, hes got to poke the living hell out of it, and find new ways to go about doing so. By the time he's studied it enough to find a vulnerability he probably knows just as much if not more (more likely more) about the vulnerable item then guy managing the machine. Even when your the guy patching the vulnerability, what do you typically do? Analyze any logs and happenings in place till you find the error then fix it.

After you find what is vulnerable and how it's being exploited you can dive into the code, check it out, and patch it into oblivion. The difference in skill between both sides of this fence is the amount of access to the "fence" when fixing or breaking it.

People tend to associate mechics with computer hacking, and it doesn't work that way. Take the fence for example, the designer knows more about it then someone who breaks the fence, and breaking a fence is easier then setting one up. So it could be said that he punk is less skilled then the builder. But you must consider when dealing with physical objects, that if both parties can see the fence, and how it's held together, then the logic behind the argument is flawed.

If perhaps the punk is instead a blind punk, he aims to tear down the fence, but he must feel over every inch, every nook and cranny not only finding it's bindings, but finding out how to undo them, and doing so. At the end of the destruction the blind punk knows about that particular fence more intimatly then the guy who built it with his two perfect eyes. And for the record, I don't know anyone blind who can build much of anything.


Anyway, you could physically set up all machines, and network connections between you and clients, and people would still find ways to exploit it.

Security and it's counterpart go hand in hand. If there is no Bad, there can be No Good, or perhaps Good will just be less good and being Good when he's not practiced in a while when someone Bad comes along.