One of my favorite Richard Thieme riffs talks about the lifecycle of truth as a rriving unseen and unheard, the new truth starts to move to the center and it is at first mocked, then ridiculed, finally accepted as a consensus fact (by which time it is no longer true). Of course, the question is how do you discover these new truths as they are moving towards the center? Where do they emerge from? At least one of the main areas Thieme looked at was uninhibited play and games. This is where we are more free to push the envelope and less constrained by convention.
This also makes the gaming space an interesting place to learn about where security is going. Certainly, lots of segments are trying to improve security, for example financial services, but at the same time, many traditional businesses are hard wired with lots of constraints and feel they can do little to address their existing security issues. So to understand some new directions where the vulnerabilities are to be found in highly distributed systems, what new threats can emerge, how are valuable are purely digital assets, and what new countermeasures might be brought to bear - the study of security in the online game space is an excellent area to mine.
Hoglund and McGraw have written a follow up to their excellent "Exploiting Software" (note - check out CAPEC for more on attack patterns), the new one is called "Exploiting Online Games", for the reasons above and since I enjoy their writing style and way of thinking about exploits, I am looking forward to reading this one.
Sounds like an interesting read, I will add it to my list.
Posted by: Garrett | July 13, 2007 at 11:04 PM
In the online transactions space (e.g., online banking) the e-gold field was a bellwether, often predicting the evolution of validated threats by 2 years or so.
It is possible to speculate on why this is ... I would point to the fact that e-gold operated more or less outside the normal regulated / policed / contracted space of the banks. This had a number of effects.
1. e-gold were on their own, and were never able to ask anyone to help. So the attack could be better developed without complications ... but also e-gold had to defend itself.
2. by the time e-gold was either mined out or had developed a strong defence, that meant that the attack was ready for trial in the broad market, with a strong preduction of success, and a lot of experience.
So one aspect is to look for groups that have value and cannot operate the normal defence postures, for one reason or another.
(Above is just speculation, and is no way meant to be a comment on goodness or badness of anything.)
Posted by: Iang | July 17, 2007 at 02:54 PM
Hi 1raindrop types,
Due to some SNAFU, the book is not yet available on amazon, but it is available at three other websites:
http://search.barnesandnoble.com/booksearch/isbnInquiry.asp?z=y&EAN=9780132271912&itm=1
http://www.awprofessional.com
http://www.informit.com/title/0132271915
We have an entire chapter devoted to "money" and another to "the law"...but most of the book is deeply technical with lots of code to play with.
gem
Posted by: gem | July 18, 2007 at 12:24 PM
;O No!
Posted by: AION | October 27, 2007 at 11:57 AM