[AntiCheat] Game Security: The Emergence of Psychologists...

@codewiz · April 12, 2013 · 3 min read

Sometimes, the convergence of divergent elements can be quite magical.


Over the past year, while developing XIGNCODE, the most enjoyable aspects I've encountered have often been social engineering methods. After all, hackers are human, and so are the people using hacking tools. I believe we can't transcend this human limitation. There are indeed some strange psychopaths who might go beyond, but they are certainly not the vast majority. In this respect, social engineering tactics have a simple, yet profound and fundamentally appealing charm. However, among the companies that adopt these tactics, there seems to be a bit of wavering. Some welcome social engineering strategies wholeheartedly, while others are skeptical. It's an immature phase.

The more interesting thing is that companies with many engineers tend to extremely avoid these methods, dismissing them as pseudo-science. Engineers like things that are difficult, profound, complex, and coding-related, but the fact is that such things are predictable when equally skilled parties are involved.

I remember a certain company — the one that keeps popping up in internet articles these days — would gather all security companies for a BMT. The final phase was cross-hacking. As you might expect, no security product could defend against cross-hacking. Meanwhile, the esteemed host who assembled these security companies stated that since no proper product was created, none would be adopted. A part of me was slightly tempted by the attention they have been getting in the media lately.

"We all know the domestic products are like that, ..." seems to be the sentiment that is floating around. But, let me assure you, the foreign products that you are so familiar with are the same. Even the software from that huge company that seems so legitimate can be bypassed by simple methods. Even software with tens of thousands of lines of grand function can sometimes be circumvented by a script of a few lines. It's as if, reminiscent of Gödel's incompleteness theorems, software is inherently born with vulnerabilities. This could also be a limitation of the von Neumann architecture.

Take Microsoft as an example. They know vulnerabilities can't be eradicated so they release mitigation strategies instead. Essentially, attacks are still possible, they're just made more difficult. They try to nullify economic efficiency of an attack. This is the best they can do. There's a reason why they consider the Return on Exploitation (ROE). Technology is just like that. It's the same with game security products. If companies attack each other, it doesn't amount to more than toy-level competitiveness. Just listing the loopholes they keep quiet about might require a ton truck to move them all, I presume...

I dare to predict that we will soon see the dawn of social engineering-based diagnostic techniques as main strategies. What does this mean? Yes, it means that after data analysts, psychologists will be the next to be invited into game security teams. Smart Riot Games has already started.

It's time for system programmers to open their minds a little and learn to collaborate with data analysts, psychologists, and neuroscientists. It's not just about coding, it's time to read some humanities books, observe people at coffee shops, and philosophically ponder why they spend so much money on coffee. Open your mind. The moment you think programming is everything is the moment you risk becoming a frog in a well. We are in an era of crossover and fusion.

Theories like the Broken Windows Theory, the 80/20 rule, narcissism, the placebo effect, the Werther effect, and the stigma effect may turn out to be more important than technical knowledge of hooking, filtering, reversing, big data, cloud, virtualization, NoSQL, etc. Ultimately, it's all about people. We need to think more broadly. This isn't pseudo-science. It's a more effective approach. Always think of the ROE. After all, we still live in a capitalist world.

@codewiz
Looking back, there were good days and bad days. I record all of my little everyday experiences and learnings here. Everything written here is from my personal perspective and opinion, and it has absolutely nothing to do with the organization I am a part of.
(C) 2001 YoungJin Shin, 0일째 운영 중