Page 1 of 6
How in the world did I not know about this for three years?
Researchers at the University of Tokyo have developed a robot that always wins at rock-paper-scissors. It watches the human player’s hand, figures out which finger position the human is about to deploy, and reacts quickly enough to always win.
EDITED TO ADD (6/13): Seems like this is even older — from 2013.
Last month, Kaspersky discovered that Asus’s live update system was infected with malware, an operation it called Operation Shadowhammer. Now we learn that six other companies were targeted in the same operation.
As we mentioned before, ASUS was not the only company used by the attackers. Studying this case, our experts found other samples that used similar algorithms. As in the ASUS case, the samples were using digitally signed binaries from three other Asian vendors:
- Electronics Extreme, authors of the zombie survival game called Infestation: Survivor Stories,
- Innovative Extremist, a company that provides Web and IT infrastructure services but also used to work in game development,
- Zepetto, the South Korean company that developed the video game Point Blank.
According to our researchers, the attackers either had access to the source code of the victims’ projects or they injected malware at the time of project compilation, meaning they were in the networks of those companies. And this reminds us of an attack that we reported on a year ago: the CCleaner incident.
Also, our experts identified three additional victims: another video gaming company, a conglomerate holding company and a pharmaceutical company, all in South Korea. For now we cannot share additional details about those victims, because we are in the process of notifying them about the attack.
Me on supply chain security.
EDITED TO ADD (6/12): Kaspersky’s expanded report.
Two teenagers figured out how to beat the “Deal or No Deal” arcade game by filming the computer animation and then slowing it down enough to determine where the big prize was hidden.
Long and interesting story — now two decades old — of massive fraud perpetrated against the McDonald’s Monopoly sweepstakes. The central fraudster was the person in charge of securing the winning tickets.
Evidence that stolen credit cards are being used to purchase items in games like Clash of Clans, which are then resold for cash.
I play Pokémon Go. (There, I’ve admitted it.) One of the interesting aspects of the game I’ve been watching is how the game’s publisher, Niantic, deals with cheaters.
There are three basic types of cheating in Pokémon Go. The first is botting, where a computer plays the game instead of a person. The second is spoofing, which is faking GPS to convince the game that you’re somewhere you’re not. These two cheats are often used together — and you see the results in the many high-level accounts for sale on the Internet. The third type of cheating is the use of third-party apps like trackers to get extra information about the game.
None of this would matter if everyone played independently. The only reason any player cares about whether other players are cheating is that there is a group aspect of the game: gym battling. Everyone’s enjoyment of that part of the game is affected by cheaters who can pretend to be where they’re not, especially if they have lots of powerful Pokémon that they collected effortlessly.
Niantic has been trying to deal with this problem since the game debuted, mostly by banning accounts when it detects cheating. Its initial strategy was basic — algorithmically detecting impossibly fast travel between physical locations or super-human amounts of playing, and then banning those accounts — with limited success. The limiting factor in all of this is false positives. While Niantic wants to stop cheating, it doesn’t want to block or limit any legitimate players. This makes it a very difficult problem, and contributes to the balance in the attacker/defender arms race.
Recently, Niantic implemented two new anti-cheating measures. The first is machine learning to detect cheaters. About this, we know little. The second is to limit the functionality of cheating accounts rather than ban them outright, making it harder for cheaters to know when they’ve been discovered.
“This is may very well be the beginning of Niantic’s machine learning approach to active bot countering,” user Dronpes writes on The Silph Road subreddit. “If the parameters for a shadowban are constantly adjusted server-side, as they can now easily be, then Niantic’s machine learning engineers can train their detection (classification) algorithms in ever-improving, ever more aggressive ways, and botters will constantly be forced to re-evaluate what factors may be triggering the detection.”
One of the expected future features in the game is trading. Creating a market for rare or powerful Pokémon would add a huge additional financial incentive to cheat. Unless Niantic can effectively prevent botting and spoofing, it’s unlikely to implement that feature.
Cheating detection in virtual reality games is going to be a constant problem as these games become more popular, especially if there are ways to monetize the results of cheating. This means that cheater detection will continue to be a critical component of these games’ success. Anything Niantic learns in Pokémon Go will be useful in whatever games come next.
Mystic, level 39 — if you must know.
And, yes, I know the game tracks works by tracking your location. I’m all right with that. As I repeatedly say, Internet privacy is all about trade-offs.
Denuvo is probably the best digital-rights management system, used to protect computer games. It’s regularly cracked within a day.
If Denuvo can no longer provide even a single full day of protection from cracks, though, that protection is going to look a lot less valuable to publishers. But that doesn’t mean Denuvo will stay effectively useless forever. The company has updated its DRM protection methods with a number of “variants” since its rollout in 2014, and chatter in the cracking community indicates a revamped “version 5” will launch any day now. That might give publishers a little more breathing room where their games can exist uncracked and force the crackers back to the drawing board for another round of the never-ending DRM battle.
BoingBoing post. Slashdot thread.
Related: Vice has a good history of DRM.
An early preview.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
It’s called Cryptomancer. Think computer hacking plus magic. I know nothing about it, but it feels reminiscent of Shadowrun.
Reddit thread. RPG.net thread.
EDITED TO ADD (12/14): A review.
Sidebar photo of Bruce Schneier by Joe MacInnis.