Don Kellogg is cheating. Over the last hour he's pumped round after round
into camouflage-clad terrorists, and only a few of them have been able to
return the favor. "I don't always cheat. I'm pretty good playing straight,"
he insists. "Cheating makes me a god." As he says this, he pumps three
rounds from his Heckler and Koch MP5 into an unsuspecting opponent, bringing
his kill count up to 47; his nearest competitor has 21. Kellogg plays under
the pseudonym "Nharlothep," and when he cheats, he is indeed a god.
Kellogg is playing Counter-Strike, the most popular game on the Internet.
With over 10,000 independently run servers around the world, the game has
set the standard for realistic online first person combat. But for those who
know how, cheating can make an ordinary Navy Seal into the Six Million
Dollar Man. With his illicit patches installed, Kellogg can move at faster
than normal speeds, shoot with near perfect aim, and see through walls.
And he's not alone. Cheating has become a front row issue in the online
world of counter-terrorist combat. There are now literally hundreds of
hacks for Counter-Strike, and every time a hole is closed, someone figures
out a new way to exploit the system. It's a serious problem for Valve
Software, makers of Counter-Strike, and the popular sci fi shoot-em-up
Half-Life. Valve spokesman Doug Lombardi says that the company "takes
cheating more seriously than piracy." Valve's not alone in their
struggle -- other popular games have had similar problems over the years,
including Everquest, Ultima Online and Diablo. Last year hackers exploited a
weakness in the Diablo II servers to loot other player's equipment and bonus
items -- worth real cash on eBay -- forcing developer Blizzard
Entertainment to restore the game from a backup copy.
It's into this war of hacking and counter-hacking that Microsoft's Xbox and
Sony's Playstation 2 will be thrust this fall, when their consoles join the
Internet for the first time.
FEARS OF AN XBOX ARMY. Microsoft integrated net connectivity into its Xbox right from the start.
The Xbox comes with a 10/100 base Ethernet port built-in, making it the
first gaming console ever to ship with a standard networking port. Sony will
release an add-on for its Playstation 2 in August that will include an
Ethernet port and a 56k modem. Nintendo has yet to officially announce its
networking plans for the Gamecube, but there are games slated for release on
the platform later this year which are designed for online play, most
notably Sega's Phantasy Star Online. It's rumored that Nintendo will release
a modem for its system this coming October, says Che Chou, editor at the
videogaming magazine Electronic Gaming Monthly.
But while the game makers have all discussed launch titles and strategies,
the topic of data security has mostly been left untouched. What happens when
10 million game console owners suddenly plug into the Internet?.
hellNbak, an IT security specialist from the white hat hacker group Nomad Mobile Research Centre worries
that massive numbers of Internet-connected Xboxes might be the perfect
platform for launching distributed denial of service (DDoS) attacks, if a
security hole is ever discovered in the console. "With the assumption that
the broadband gaming network is going to catch on like crazy -- if one was
able to get DDoS zombies on the millions of Xboxen sold, there might be
potential for massive damage," he says.
Console security holes are not unprecedented. When Sega released a modem and
broadband adapter for their Dreamcast console in 2000 a number of remotely
exploitable holes were discovered almost immediately, not the least of
which was a vulnerability to a "ping of death," a small, well crafted
packet that could crash the console, resulting in the loss of game progress
and the destruction of saved games, if timed properly.
"A remotely exploitable hole could lead to the stealing or deleting of
configuration files, ripped music, and saved games," says hellNbak, who
surmises that security holes could lead to headaches for gamers, and the
potential for some messy inter-gamer hacking wars in the ego-heavy
trash-talking game world.
Security is one of the reasons Microsoft is building its online service as a
closed, Microsoft-only system. The Xbox Live service will be a yearly-fee
based network through which players will find opponents, teams, updates, and
add-ons. According to a written statement from the company, "Microsoft
understands how important the online gaming experience is and have adopted
a managed approach with Xbox Live, ensuring that gamers don't encounter the
types of things that make PC online gaming a hassle."
Closing their service to outsiders increases the security of their system
overall and "prevents hackers from scaling beyond one machine," the company
claims. "Xbox Live has military grade security to ensure no cheaters, no
hackers, and no viruses."
SONY: OPEN DOOR POLICY.
"You cannot effectively secure a device that a potential attacker has
complete physical access to," counters hellNbak. And even Microsoft seems to
be hedging its bets, acknowledging that "no service is 100% hack-proof."
That's a lesson the company knows well. The Hong Kong based console
accessory company Lik Sang already
sells a copy protection defeating "mod chip" for the Xbox -- which allows
users handy with a soldering iron to play copied and imported games with
impunity, and even permits them to use the Xbox to play movies in the DivX
format popular with film pirates.
Sony declined to comment on their security plans for the Playstation 2, if
any. The company's strategy for Internet play is diametrically opposed to
Microsoft's closed-door system. Sony plans to allow game developers to use
their own services for player matching and game hosting. Connectivity beyond
the basic protocols is left up to developers.
That leaves much of the security in the hands of game developers. Chris
Mahnken, producer of Sierra's Tribes Aerial Assault, is building the popular
Starsiege Tribes series into a Playstation 2 online launch title. "Sierra is
using our existing PC game and player matching system for the PS2 titles,"
says Mahnken. "The system has proven to be both stable and secure, and we
don't see any reason for that trend to change." Mahnken says that the team
at Sierra has had to tweak server code to deal with cheaters from time to
time, but the majority of their code has remained solid and trusted.
Leaving the server interface software up to the individual designers creates
risks of its own, such as the possibility that spyware or backdoors may find
their way into game programs. In 1998 security researcher Mark Zielinski
found that server software for the first person shooter Quake II secretly
included a backdoor that potentially allowed a malefactor to gain remote
control of a running game. Of course, the danger of more serious backdoors
in console-based games is less threatening than on PCs -- nobody puts
corporate secrets and private e-mail on their game consoles.
Meanwhile, the Xbox seems to possess an almost magical allure for hackers
and tinkerers. In June, MIT Ph.D. candidate Andrew Huang published a 15-page
paper describing many of the more secretive aspects of the Xbox's hardware. In his
paper, Huang claims to have defeated the Xbox's copy protection system --
designed to prevent unlicensed developers from writing their own code for
the machine. Coupled with the Xbox's internal hard drive, this could bring
the possibility of patch-based cheating closer to console gamers than ever
That's good news for the likes of Kellogg. Back in cyberspace, he's begun to
arouse suspicion in his Counter-Strike game. A few opponents are grumbling,
messaging phrases like "Nharlothep's a cheat! Someone kick him!"
Unfortunately for them, there's no server admin online, and Kellogg simply
ignores them and continues to rack up the kills. "There's so many other
servers out there," he says. "It's just a game, people!" By Alex Handy