Schneier on Security
A blog covering security and security technology.
« Users Rationally Rejecting Security Advice |
| Mumbai Terrorist Attacks »
November 25, 2009
Virtual Mafia in Online Worlds
If you allow players in an online world to penalize each other, you open the door to extortion:
One of the features that supported user socialization in the game was the ability to declare that another user was a trusted friend. The feature involved a graphical display that showed the faces of users who had declared you trustworthy outlined in green, attached in a hub-and-spoke pattern to your face in the center.
That feature was fine as far as it went, but unlike other social networks, The Sims Online allowed users to declare other users untrustworthy too. The face of an untrustworthy user appeared circled in bright red among all the trustworthy faces in a user's hub.
It didn't take long for a group calling itself the Sims Mafia to figure out how to use this mechanic to shake down new users when they arrived in the game. The dialog would go something like this:
"Hi! I see from your hub that you're new to the area. Give me all your Simoleans or my friends and I will make it impossible to rent a house.”
"What are you talking about?"
"I'm a member of the Sims Mafia, and we will all mark you as untrustworthy, turning your hub solid red (with no more room for green), and no one will play with you. You have five minutes to comply. If you think I'm kidding, look at your hub-three of us have already marked you red. Don't worry, we'll turn it green when you pay…"
If you think this is a fun game, think again-a typical response to this shakedown was for the user to decide that the game wasn't worth $10 a month. Playing dollhouse doesn't usually involve gangsters.
EDITED TO ADD (12/12): SIM Mafia existed in 2004.
Posted on November 25, 2009 at 6:36 AM
• 44 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"If you allow players in an online world to penalize each other", um without cost to themselves, "you open the door to extortion."
Cool, the simulation is accurate!
Were the perpetrators punished in any way?
You forgot to mention that the game organisers did become aware of the problem and took steps to remove the problem.
The thing about extorsion is it never has zero cost to the extorter. This is because there is an economic flow to them and this is traceable, thus there is always a risk. And it is mitigating this risk that costs the extorter.
The way to stop extortion is to raise the cost beyond that point where it is economical.
The question is how?
The law of "unintended consiquences applies" and there is a reasonable chance that in closing one route for extorsion you open another.
Seems like a problem of quantity over quality. Just looking at the trust/no trust is useless unless you have information about who is trusting and not trusting.
For example, I'd mark any trust value from known Mafia members as having zero weight.
This story is about a subset of a much larger problem, generically called "griefing" (e.g. the intentional ruining of the on-line entertainment experience, for various reasons, including but not limited to extortion for monetary gain), that is the great dirty secret of on-line multi-player gaming these days.
I have personally experienced "griefing" on a number of occasions and I can tell you that the only thing more frustrating than having it happen to you by some maladjusted little 13 year-old haxxor who hides behind the anonymity of the Internet while he's "ganking" you, is the complete indifference of the on-line gaming service provider(s) to complaints about this kind of inappropriate conduct. Basically, they couldn't care less.
Basically, the state of security for these large multi-player environments is roughly where it used to be for the general IT community (e.g. Microsoft etc.) in about 1995 -- e.g., "grossly inadequate".
A large part of the problem has to do with the fact the de facto payment model for on-line gaming is, "you pay for the THEORETICAL right to access the game infrastructure" -- irrespective of whether you can do that, whether you in fact do do that (e.g. whether you ever actually play), and -- crucially -- regardless of whether or not you actually had an enjoyable experience.
In other words, the game company gets paid one way or another, whether or not they police their infrastructure to stop the most egregious hacker / griefer / extortion tactics such as the ones described in Bruce's post.
That this situation is so obviously inadequate, yet is tolerated to one extent or another by virtually all the on-line gaming systems, is a clear indication of the immaturity of the industry.
Try to imagine, for example, an on-line video streaming service where you have to pay $20 per month just to try to launch a video, then halfway through, it is interrupted by a hacker who demands additional $20 payments "so you can finish watching your movie"... and the video hosting site ignores repeated complaints that this is happening. This would never be tolerated for that kind of service, but it happens all the time in on-line gaming.
Until the on-line gaming companies take more responsibility for pro-actively preventing this kind of service disruption, the griefers will continue p*ss in the well and ruin the gaming experience for everyone else. I suspect that it will take a lawsuit or two to smarten them up... but don't hold your breath, the gaming companies know that at $10 per month, it's not worth your while.
it would be interesting to see the conections and analogies to the offline world.
one big problem of this type of "protection money": nobody is forced to use Sims Online. The victims can leave and disappear (come back as soon as EA or Maxis providing a solution).
it would be terrible if the mafia chooses their victims online and follow them offline.
It looks like the Sims is a good place to try new stuff and see the consequences.
it is a difference between a "public trust" (politicians etc.) and "private trust" (friends, business partner, ...)
the main question in real life is "how many of my friends trust this stranger?" and "how many untrustworthy people trust this geezer?"
Could you please post the link to the original article, Bruce?
@ Telco Security Dweeb,
"Basically, the state of security for these large multi-player environments is roughly where it used to be for the general IT community (e.g. Microsoft etc.) in about 1995 -- e.g., "grossly inadequate"."
Almost but not quite right 8)
One security expert puts "all online community environments" ie social networking Email twitter etc etc as having the security equivalent of MS Windows 95. As well as the Firefox web browser,
I'm realy surprised Bruce has not bloged about the state of "online community" systems in general.
Oh and "off the record" I've been told by atleast two other researchers that most "cloud offerings" have this problem as well.
Partly this due to a protocol bug in TSL/SSL but hey that's what we all use and (did) trust...
The incentive to the MMO provider is still obvious. You claim that there is no incentive for them to prevent grieffing, because they get paid for providing you the ability to play, thus they don't care about your enjoyment. You forget the simple fact that people that don't enjoy the game leave, and take their monthly fees with them. Player retention is very important to these companies, because without it, the game dies.
We had a similar shakedown problem in the latest "Telling" (storyline reboot) of "A Tale In The Desert", which is a non-violent, crafting and social MMORPG. Some griefers joined at the start of the Telling, started the "Nigerian Businessmen" guild and took advantage of game features to harass and shake down other players.
Fortunately, a lot of senior players in wealthy guilds got together and "ran them out of town". ATITD doesn't have direct violence, but it does have a variety of things that make life difficult when you're Level 4, but fairly trivial to deal with when you're level 27. And it's hard to get ahead when none of the level 27 folks will engage in trade with you.
ATITD also has elected "demi-pharaohs" who can ban other players from the game. This is a very rare occurrence in practice, and many folks run for election on the platform of "I won't actually ban anyone", but there were people running for DP just to nail the Nigerian Businessmen.
Eventually, the griefers hit the road and went back to WoW or whatever other rock they crawled out from under.
You might want to have a look at today's Non Sequitur (http://www.gocomics.com/features/112/feature_items/473873) cartoon. Without giving spoilers, I assure you it's relevant.
How to stop:
Only count trust from people you trust and those they trust (so you take less time to build a "trust network")
I play EVE, where trust is traceable (if you mark someone as "red," people can see that you marked them red, but thats it). It amazes me how social organs developed to use such trust to defend themselves against "mafias."
My experiance is "griefing" is nastiest in games (or areas of games) where there are rules to, ironically, prevent griefing. In EVE hisec wars are brutal. In WoW, its the servers that disalow PvP that have some of the rudest griefing tactics. The most effective anti-griefing method I've seen is to let the victims unite and give the griefer a good beating =)
On the other hand, its probably a good thing that such solutions don't make it out into the real world (or at least not to great degrees)
I'm not an online gamer (I harken back to BBS days and never acquired the habit), but reading through the comments here it sounds a lot like real life:
- A nice quiet waterfront community gets an interstate off-ramp and is suddenly set upon by out-of-town developers who wreck the community, spoil the environment, and then take their profits and leave town.
- New businesses in many cities who want to be successful quickly find out who they need to do business with to keep the politicians and others happy and off their backs (or on their sides). If you don't play their game and suck up to their friends, they brand you "untrustworthy".
I guess it's better that the kids learn it now online in WoW rather than later in life...
@ Geoffrey Kidd,
Saddly my "mobile phone browser" does not have sufficient resolution to read the "bill board" around the neck (although I can just read the "speach bubble").
I guess I'm going to have to wait, untill either I can get to a computer (not easy when you are flat on your back with a stressed out nurse making sure you don't misbehave or escape 8( or hope for a spoiller later today 8)
A thought occures.
First off these "networks" are for social activities and there are social norms to anti-social crime (ie LEO's and black-balling).
Rather than have an open right to criticise and instantly mark somebody down.
How about a system where comments or votes are either moderated, or only available to members of the same guild/friends list.
Also to take the economic insentive out of "black balling" make each person who wishes to give a negative vote pay a refundable deposit to do so. Thus if their comment or vote is found to be unsuported they lose economic value.
Thanks for posting the link. I've never seen a writeup of the abuse of reputation systems in a general sense before; that covers it beautifully.
@Telco Security Dweeb
Your analogy of a video site where a hacker extorts money from you is not even superficially accurate. Griefing happens within the constraints of the game. It's more analogous to common trolling.
There is no way to prevent this without destroying the user's autonomy and making the game no fun. Trolls and griefers will always find a way to annoy sensitive people because that's what they find enjoyable. No technical solution or hard and fast rules will prevent the problem. It's a social problem and it has to be dealt with by community involvement and policing by the game organizers, and believe me, the game companies take this very seriously.
I'm more in favor of self-regulating systems. Moderating is not very objectives sometimes, and could be a nightmare effort.
Instead, allow each player only a limited number of opportunities per month to mark someone down. That way, there is an economic value to each opportunity, since they will have a limited quantity.
Second Life is one of the biggest games that has this issue. The FBI has created players of its own in the game to track such individuals.
the cartoon reads
homeless man with billboard, and
a collection hat brimming with cash.
"won't post my thoughts on your blog for cash"
Bystander's speech bubble reads
"well, at least someone has figured out a way to make money from the internet"
Online gaming abuse & especially griefing is responsible for more bad vibes then all virii combined, and getting bigger. A subject largely and happily ignored by most. Good to see it getting some attention.
The main advantage of not having antigriefing stuff is that the most powerful players in any game tend to care about it and its community due to the amount of time and effort they have sunk into it so often deal with it better than any moderation system.
Also its worthy of note that most griefing is only doable through bugs or badly thought out game features, and in my opinion careful game design and rapid patching is the most effective tool that game devs have.
"Second Life is one of the biggest games that has this issue. The FBI has created players of its own in the game to track such individuals."
Don't they have better things to do than harrass people who choose not to play nice in a game? I mean, I get pissed at hecklers and noisy obnoxious idiots at sports event, but I hardly expect the federales to do anything about it. Event Security, maybe, not not the feds.
Having played a variety of MMOs in the past I've noticed griefing is most prominent in games where there are (system enforced) rules in place that basically prevent you from getting any kind of payback in-game. The more strict the rules on hurting others, the more freely the griefers can make your life hell (in creative ways, like in the original post) without you having any (in-game) way to get back at them.
The games/environments where you can hurt the griefers easily, for example games with no limits on who you can attack or hurt, tend to have a lot less griefing. Basically because the people who are against it can flock up and put an end to it.
Social games (Sims online, Second Life) are at the end of the spectrum where there is no violence and as such there is no way to excercise the natural way of human beings to put an end to troublesome individuals - violence or the threat of it.
This issue of freeness vs. griefing is a source of an age old discussion in the MMO circles where people generally are afraid that less strict rules on violence end up in more griefing, while in my (albeit limited, as is everyone's) experience it has been the other way around.
This was news back in 2004:
Griefing as it would be called today, is still rampart in MMO's, some game companies take it seriously and some dont. With the advent of real money being used in games like Second life and Entropia Universe, it would be good to have some kind of monitoring of that type of games.
It isnt fun to spend money on ammo to kill a mob when some higher level player runs up with a bigger gun and more skill and blast - what you were working on - to pieces and get the loot.
In the real world, that would be called theft.
"Don't they have better things to do than harrass people who choose not to play nice in a game?"
I suspect the reason the Feds are there as well as US Secret Service is because of money laundering or other related crimes such as blackmail.
These online games are getting to the point where they may be in serious legal trouble because they are acting as "unlicensed deposit takers" amongst other things.
A lot of games now have "virtual objects" with dollar value and "virtual money" that enables these "virtual objects" to be traded.
As far as the law in most places is concerned the "virtual object" is an irelavance. Your "virtual bag" where you keep your virtual objects and money is a "deposit account" the fact that you move a virtual object from your "account" to another persons "account" is an unregulated financial payment / transaction.
This is because the object altough virtual has a real dollar value. Thus the system can store real value which makes it afinancial repository and move money from one account to another. The fact you view it as a game is an irrelavance as it behaves like a bank.
Such systems can quite easily be used for money laundering.
I pay a bunch of very low paid Chinese workers a small sum to increase my "virtual weallth". I then "lose in battle to you" (deliberatly) and you take all my virtual wealth" which you then sell for real money just like the low paid Chinese workers.
The end result is I've put in 100USD to get a million spondolics deposit, which I transfere to you. You then sell on the million spondolics for around 100USD.
This is exactly the same as getting 100USD converted to 100EUROS giving the 100EUROS to somebody else who then converts the 100EUROS to 90USD.
It is the fact that objects in these "virtual worlds" have "real world" value that interests the Feds and Secret Service.
The simple fact is a "Sovereign Nation" has rights pertaining to the position of "head of state" one of those rights is to issue a currancy for the purposes of trade. There is a very real benifit (seniorage) to being a currancy issuer and the head of state's proxy the US Treasury does not take kindly to you userping the privalage or benift.
Also the US Postal service, the fact that the game can also be viewed as a "common carrier" means that the laws pertaining to "postal fraud" might well apply.
As the old "real world" curse has it in the "brave new virtual world", "may you live in interesting times"...
Of course to some extant, the prevalance of this sort of thing is because it is a "game," and fewer people feel morality constrains their behavior in it. You can usually design a system based on the idea that most people will be honest and a very few will try to ruthlessly exploit that honesty. But in a game world, it is likely that a much larger percentage of people will ruthlessly exploit others because "it's only a game," and that can be a successful strategy.
sure. That much is obvious. However Jeff was talking about the Feds keeping an eye on griefers, which is not the same at all. It was that to which I was responding, not some other point which no one had made about laundering.
... although, I suppose, it's coneivable that the griefers and the launderers are the same people in some cases. But that seems like a pretty unreliable way of flying beneath the radar.
The reason the Feds do take an interest in some griefers is they are "extorting" game money which in some games can be exchanged for USD.
So as there is real realisable value it is a crime, and probably it crossess state boarders or even international boarders which IIRC makes it a fedral not state offence.
JonS: Really? I hear some baseball players are "stealing" bases, too.
And some poker players, even those who play for money, engage in a practice called "bluffing", which is just a fancy name for fraud.
Sorry, the above was a reply to Clive Robinson's reply to JonS.
And as long as I'm posting again, I'll add something else: This was just an extreme case involving a bug. But online game designers do need to think about the possibilities of griefing when they design every interaction between players.
JonS: Really? I hear some baseball players are "stealing" bases, too.
And some poker players, even those who play for money, engage in a practice called "bluffing", which is just a fancy name for fraud.
Illustrates my point rather clearly IMHO.
The whole point of these games is that you can do things that it's not legal or practical to do in the real world. You can kill innocent people. You can shoot people in the street. If these games had to follow real world laws, they couldn't exist.
Sure, you can go after griefing as a violation of the game's rules or terms of service. But in-game extortion is just *not* real-world extortion just as in-game murder is not real-world murder, and even if you lose someting of real-world value, it's not real-world theft.
Confusing fantasy with reality will destroy fantasy.
The point of "Virtual Reality" is that it is a referencable fantasy,
sharing existential qualities of a sort with Reality.
Thus, "Confusing fantasy with reality will destroy fantasy,"
unless that fantasy hybridizes certain qualities of reality,
in which case that which is less moored in reality will prove insubstantial.
2-Perceptual bias mixed with reality,
3- Virtual Reality
4- Contra-Perceptual bias blended with
5- Expressed Fantasy
6- Internal Fantasy
7- Incommunicable fantasy
may represent a sort of spectrum of competing experiences, as they prevail.
The wise person will notice the listed absence of the present dimensionality of encoding, and
the introduction of the internality of a communications spectrum into this array.
Similar things have been going on in MUDs since the 80s.
When I read this I immediately thought about Eve Online. Where even secure space allows players to attack and kill each other but with certain loss of ship to the attacker. Just yesterday a person in my alliance demanded protection money to stop killing a group of people in secure space. I didn't really think of it in terms of protection money then but that's what it was.
I don't really understand why so often in this comments do people confuse "reputation" with "power".
Reputation is not an economic term.
If someones are allowed to rate someone down (in a global context, not only within their point of view), but only for spending some economically valuable quantity,
you only get the situation "the reachest is the ruler". As opposed to "you are to decide your own trust".
Imagine that for some reason some group aquired some large sum of "money" (the value, that is required to minus someone's rating) - the largest sum, that nobody else have. That is the current situation in some markets across world. The more you have - the more you get - golden rule of capitalism.
The reachest group can hammer anyone, and noone is capable of hammering the group. So, the group becomes the absolute ruler - it even have the power of demanding "money" (and even real money) from ordinary players just for leaving them alone. More "money" to increase it's power and grooow!
Well, reputation have nothing to do with wealth, power or anything else materialistic, really. It is completely subjective.
I wrote an article called "Does the Sims Online Host the Mafia?" and a short while after it was published online, a bunch of Mafia-influenced people began pestering me, claiming that I had ruined their game and caused its demise. I checked, and in fact it was doomed well before I wrote the article - its stats were slipping, probably due more to lack of interest and also the Mafia presense than anything else. The game was actually a bit on the dull side and didn't have enough to do on it, and the "Mafia" doing the things they did on it, such as attempting to lure teenage girls into online prostitution, didn't help any. So I'm fairly sure I did very little to contribute to the eventual demise of the online Sims game, especially as the EA version later on also immediately died, apparently due to lack of interest.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.