[MUD-Dev] Security in MUDs - MMORPGs

Jon Leonard jleonard at slimy.com
Fri Jun 8 14:35:28 CEST 2001 

On Thu, Jun 07, 2001 at 10:25:19AM +0100, Adam Martin wrote:

> A question from yesterday's Computer Science undergrad finals @
> Cambridge, UK:
 
>   "You are developing a multi-user computer game, and wish to make
>   it harder for players to cheat.

This divieds into three possible sub-questions, I think.  Strictly
peer to peer games, and client/server on both sides.

>     (a) Discuss the possible benefits of using:

>       (i) encryption/authentication

In a LAN game, possibly useful to keep other players from snooping
on hidden game state.  For a server, useful to keep people from
stealing other player's characters.  In a client, it could
potentially shut out server emulators.

Of these, the only one that seems worthwhile might be locking
characters to particular serial-number game CDs, but that's a
substantial user friendliness problem, because you can't (easily)
then go play at a friend's house.

In short, not very useful.

>       (ii) virus detection techniques

I can't think of how this would even apply.  Maybe to avoid
distributing viruses in the official game, but still...

>       (iii) intrusion detection techniques

Only useful on the server-side, I'd think.  It wouldn't be very game
related, though.

>     (b) What might be the advantages and disadvantages of issuing
>     players with a smartcard and reader?"

No real advantage, and substantial cost and usability disadvantages.

> Although I was tempted to answer with "The benefits are: not much,
> really - you can't trust the client at all", I wasn't prepared to
> fail because of a flippant answer :). Sadly, we can't discuss the
> relevance/well-foundedness of the question with the resident
> professor of Security, because he's also the chief examiner this
> year, which effectively censors him.

That's about right, I think.  There are a few things that you can
reasonably trust the client for, though: Those things that the
player has no motive to lie about (account password, for example).

> Still, I thought some people might be interested to see the
> question. Food for thought? Perhaps.

To be honest, this looks like a case of picking the wrong example
domain for a question.  If the question had been about online
banking, then the question would make more sense, though they both
have their own peculiar domain-specific quirks.

Jon Leonard
_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev

More information about the mud-dev-archive mailing list