Ep61 – WTM: Gaming
[00:00:00] Camille Morhardt: Hi there. On today’s show we’ll be discussing gaming. With me today to talk about gaming is Matt Areno. He has a PhD in Computer Engineering and over 10 years of experience as a hacker. He’s Senior Principal Engineer and Director of Security Assurance and Cryptography
Matt started his career with the original Nintendo completing over 200 original NES games. Since then he’s played Super Nintendo, Sega Genesis, Nintendo Cube, Nintendo Wii, X-Box 360 X-Box one, and Nintendo Switch. He also has extensive experience with PC gaming. He was an early participant in the LAN parties playing StarCraft, Warcraft, Counter-Strike and more like it. He also has played MMOs–massive multi-player online–as well as LOTROs–Lord of the Rings online (and notes that these games have taken on an entirely new structure on tablets and phones.)
Matt, you have an interesting security perspective on gaming, uh, but we don’t want to limit you. Can you define gaming for us and under three minutes?
[00:01:00] Matt Areno: Sure. And thanks for having me, Camille. Pleasure to be here. And thank you for starting me off with such a very simple, straightforward question. I guess if I had to define gaming, I would say the gaming is interactive storytelling. You know, it can take on so many different forms—whether it’s a board game, whether it’s a dice game, whether it’s something like D&D, (which I also play with several friends), whether it’s on a computer, whether it’s on your TV, your phone, your tablet. All of these games are based around a storyline that takes you from Point A to Point B and attempts to engage you in various different aspects of that story.
You know, you think of Monopoly, you don’t really see much of a story to be told in Monopoly, but there is a story there it’s the acquisition of wealth and property and, and using that to try and become the strongest, most powerful and richest person on the board. A lot of the video games that we have now, it’s a little bit easier to see some stories in it, but that’s really what gaming is; it’s interactive storytelling and progression.
[00:02:09] Camille Morhardt: Does it have to be interactive? I mean, I could play solitaire or are you going to claim that’s interactive because it’s with a computer?
[00:02:15] Matt Areno: Well, you’re, you’re interacting with something you’re interacting with cards. You’re interacting with a computer. The computer may be stimulating the cards for you, but you are still interacting with, with the cards, whether the interaction comes through rolling the dice, through actually moving characters, like playing chess, whether it comes through clicking on a mouse and keyboard, there’s some engagement on your part to move the story along to flip the next card.
[00:02:44] Camille Morhardt: Quick definition for gaming. Let’s dive a little deeper. I’d like to put this in perspective. I don’t game myself as you’ve probably already figured out, but both my kids have Nintendo Switches and all I ever hear about at the dinner table is Animal Crossing. So I’m wondering how. Is gaming in entertainment
[00:03:06] Matt Areno: It’s huge. The last I recall it was literally the biggest entertainment industry in the world. And part of that is because it is so all encompassing. So many different platforms now than there ever were before. And you look at a lot of the technological advances. You know, we worked in computers and computer systems, processors, video cards, things like that. A lot of what people don’t realize is how big of an impact gaming has had in driving that innovation.
One of the key things that’s been out there that’s been pushing for better performance, lower power, better graphics has been the gaming industry, tried to keep up with their needs and their desires to push the limits on what they’re doing has been a huge fuel to innovation. And a lot of the electronics world that we have today, we literally owe to the field of gaming.
[00:03:59] Camille Morhardt: You’re talking about pushing to the limit, some of the technology. And I know some of these games seem to specifically tie with kind of military style interaction–I’m thinking first-person shooter, or other types of games. How is it tied to kind of government R&D?
[00:04:18] Matt Areno: Well, it was actually kind of interesting that the government actually use gaming to interact with people. They use that to try and recruit people, to let them try out vehicles and aircraft to simulate the battlefield environment–but obviously doing it in a safe manner in front of a computer, as opposed to the literal battlefield. But because there’s been so much advancement in our technology, even the skills of playing video games has become useful. And you can see that literally in flying drones. For all intents and purposes, flying a drone, looks a whole lot like playing a video game with a person, sitting there with a joystick, a controller, a monitor and keyboard in front of them and they’re having real time interaction with those drones.
A lot of what we’re seeing in the military as things become more and more automated, it becomes more like a video game. And so they are very, very vested in utilizing this as a tool for recruitment, utilizing this as a tool for training and engaging with it.
[00:05:24] Camille Morhardt: Are there other video games that have nothing to do with that? We’re just talking pure entertainment industry.
[00:05:31] Matt Areno: I would wager that the most of them have little or nothing to do with military applications; although obviously the military could certainly be considered a huge part of it. But games are really broken up into a number of different categories. You know, if you open up your iTunes Store or your Google Store, and you look at the app and you go to the games, there’s a number of different genres, uh, types of games out there, depending upon what you like to do–whether it’s a strategy game, uh, that you’d like to play, whether it’s role-playing games where you want to be interactive with a specific character and move that character through a quest, uh, things like your card games and regular arcade and action type of genres. They’re just a number of different games out there whose literal purpose is completely entertainment.
[00:06:20] Camille Morhardt: So I want to hit a little bit because you have, um, expertise in security specifically and a past in hacking, can you talk about some of the security concerns in gaming and how they evolved?
[00:06:37] Matt Areno: Sure it really kind of follows with the evolution of gaming itself. When you first started off there, there was really no connectivity. Gaming was a controller, a console and a TV, and then the person’s playing. Um, there was really no notion of playing with people online. There was no notion of anything else. So all of the funds that, that these gaming companies procured, uh, to fund their business all came through the sale of the cartridges of the games themselves. And so that’s what everything was based off of.
As time progressed though, as the internet came into play and connectivity became a thing, um, games began to advance on that. So you could still certainly pay your 40, 50, $60 for the individual games on the computers, but now you also had the opportunity to engage with people online. And this brought in a really where the MMOs started to explode–your massive multiplayer online games. And with the MMOs came the notion of a pay-to-play strategy, as opposed to a single one-time purchase.
With the pay-to-play, this really kind of brought in a monthly subscription, effectively. So I pay 10, 15, $20 a month and I get premium access to the game. I mentioned in my bio that I was a big fan of LOTRO Lord of the Rings Online. I’ve played it for over 10 years. Um, and it was a subscription based. They had a free version that you could play as well, but if you wanted a few more features, you wanted things on lock and your character, you wanted more room in your vault, those things could be purchased through a monthly subscription or through a store that they would offer in the game. And so that store became the next evolution.
So, you know, how do I get more money? How do I get, you know, I’m not selling cartridges here, so how do I make more money besides just the monthly subscriptions. Well, an in-game store.
[00:08:39] Camille Morhardt: And we’ve all seen sort of, you can now even collect money by playing a rock concert online or, you know, in the virtual world and this kind of interesting crossover between the worlds. Is there security?
[00:08:53] Matt Areno: We have to go one more step. So, you know, we’ve got these, these stores in the games, in this pay-to-play strategy. Well then when the games transitioned over to mobile devices, that’s when it really blew up for all intents and purposes, because now I’ve got the game always with me. And I can’t charge 50 to 60 bucks for it. I’ve got to charge zero or five. And so all of a sudden that in-game store becomes significantly more important. But with that comes the security issues. Because with those in-game stores, it brought about a pay to win strategy where players could pay more money and get things faster, get things better than other players. And this allowed them to very quickly spend their own money to level up in the game effectively–to be ahead of everyone else. And with that, the account started to take on real life value.
So even though you’re spinning real life money for effectively virtual currency, the account itself begins to become financially worth something because it represents conceivably effort, but really you’ve spent the money on it. And now that becomes valuable to hackers. And so that’s where hackers came in and started to really go after these people’s accounts to get their login information, to, uh, compromise their systems, to gain their access to their virtual inventory, and then be able to sell it off.
And this became even worse as a lot of these gaming companies began to consolidate. So again, they’re looking for ways to reduce their overhead. So if I can get the distribution channel, if I can outsource that then that’s something I don’t have to take care of. So things like Steam, which originally only had a few games in it now host hundreds of games where you can, with one account, have all of these different games in your system and now this one game that’s worth a lot of money is combined with four or five other games that are worth a lot of money.
So now as an attacker, a hacker, I’m thinking, “well, geez, why don’t I just go up for steam? If I can compromise steam, then I could access all of these different accounts worth all this money that I can then turn around and sell in real life.” And so it really became this entire evolution of gaming and how gaming is structured that brought in these attacks from hackers.
[00:11:29] Camille Morhardt: So hackers would hack into an account that had accrued–of course, I’m going to use the word for lack of a better term—“hacks” to the game or ways to get ahead in the game. And then they would sell those to other players on essentially a black market for hacked tips?
[00:11:47] Matt Areno: There really is legitimately an underground black market for log-in credentials for this. Now there are some people who, and I kid you not, this is an actual profession for them. They will create a number of different email accounts. They’ll load up something like BlueStacks–BlueStack is a Android emulator that you can run on Windows, Mac, Linux as well (if I recall correctly). And you can instantiate an Android operating system that actually plays games from the Android store. And so these people will literally sit around all day and they’ll level-up accounts that they can then, once they get to a certain point, they can turn around and sell it. So they literally make a living playing video games, creating these new accounts, leveling them up to a certain point and turning around and selling them.
And that’s in addition to the people who are doing this maliciously that are intentionally trying to break into people’s accounts and gain access to that so that they can then turn around and sell it as opposed to the person who actually put in the effort.
[00:12:53] Camille Morhardt: Um, my kids steal from each other’s Animal Crossings stores all the time, but then I suppose they’ve also given each other access to their accounts or something like that or their islands. So if you’ve actually been hacked and your things have been stolen, what do you do? I mean, do you complain to the game? or do you complain to the police? or you just out of luck?
[00:13:13] Matt Areno: Well, probably in far too many cases, it’s the latter. With the former, it really depends on your ability to prove that you were actually hacked. Can you actually prove that the person who logged in to the game was not you; that it was somebody else.
Now, in many cases, these gaming companies have, uh, authentication systems running on their server. They can notice suspicious activity, they can flag suspicious activity and even let you know, “Hey, somebody tried to log into your account.” And you can even go in and set up things like two factor authentication. You can log in notifications to help you identify when these things happen. But when they do, if you don’t have that information, that a minimum, in many cases, yeah, you’re out of luck. And there’s not really anything that you can do about it.
You know, when it’s a mass leak–when they know that the people have gotten on and compromised–they’ll work with players to try and get that fixed. But otherwise there’s really no legal obligation for them to help you at all unless you can prove that that the account was hacked and compromised.
Camille Morhardt: Interesting.
Matt Areno: And even then, did you take the appropriate steps? Did you do what was necessary in order to, to protect your account like turn on two-factor authentication and these notifications? You know, in some cases you might just get lucky and get a customer representative who will help you out and actually return the money or the account. And then in other cases, yeah, you have to go to court over.
[00:14:47] Camille Morhardt: So one other thing I want to ask you about, I don’t think it’s, well, it is actually directly related to security, but in a different sense. I think I’d be remiss if I didn’t ask you a little bit about bullying. I know there’s online bullying in general is a concern, but I have heard that it can be particularly tough in the gaming world. Can you offer us any perspective on that?
[00:15:12] Matt Areno: Yeah. And I can say authoritatively that it absolutely does exist in the gaming world as sad as it is. The most obvious place, that’s usually in the chats. Almost every gaming platform these days, almost every game has some form of internal chat mechanism where you can interact with other players online. And while many of them try to put in filters, they try to put in the ability to report players and stuff like that, if the platform and the game only require a free account and you don’t have to pay for it, they just created a new one. So even if people report them, even if people say, “Hey, this person is being a bully,” they look through the chat log, they detect that this is what’s happening and they deactivate the account. The person just creates a new one because why not it’s free or they move on to another game. So there’s really no stopping that aspect, especially with free games.
The other aspect of it has really been exposed with the pay-to-win strategy, where you can look at a lot of the people that get onto these games and they spend a lot of money to build up their ships. Like I played Star Trek Fleet Command–was one of the big ones I played as well on my phone. Every game almost will put in something to hamper your ability to progress. This compels people as supposed to be affording a patient to spend more money. Well, the bullies recognize this. They recognize that people are not going to be able to advance as fast if they don’t spend the money. “So if I spend money, I’ll have the biggest ship around and I could blow everybody up. I’ll be able to do things that they can’t do. I’ll be able to access things that they can’t do. And this, you know, I’ll dominate this entire server that I’m on.” And so you see a lot of people that really legitimately do that. And they become a huge bully in the game. They kill people way lower than them–that honestly they shouldn’t have the ability to do. And a lot of the games let it happen, you know, where they could filter that kind of activity, they don’t. And they don’t filter it because it makes them money because it compels these people to spend more money, to build up their ships so that they can fight back. And if the bully is well-funded, they’re just not much you can do about it.
Camille Morhardt: Now what does “game over” mean?
Matt Areno: So it means that whatever conflict, whatever engagement has been going on up to this point is now finished; it’s game over. You know, “I’ve won this battle and there’s nothing you can do about it.” It’s often spoken by the person who has the advantage, who is unbeatable. And oftentimes it’s used as a taunt to just tell ‘em, “I’m ahead. I’m going to win. Game over.” That’s just the way it is.
[00:18:11] Camille Morhardt: Thank you for joining me today, Matt, on What That Means: Gaming. We are going to dissect more terms in the weeks ahead and for more discussions about cybersecurity, be sure and catch the next episode of Cyber Security Inside coming your way next week.
Thanks Matt.
