Casual Game Dev

11 people were charged with stealing 40 million credit and debit cards. I'm not sure which is scarier - that 40 million payment cards were stolen or that it only took 11 people to do it.

The scheme began in 2003 and continued until this year, showing the effectiveness of internal security monitoring.

(via CNNMoney.com)

A TSA contractor who was busy certifying people as being trustworthy to speed through security, apparently didn't take good care of the data of 33,000 applicants (see PC World). A laptop with their data (including Passport numbers, addresses, birthdates, but not Social Security Numbers or credit cards...I'm sure that's comforting) was lost.

Oh, of course, the data was not encrypted, but it was protected by TWO PASSWORDS!

In a hysterical dodge, the company, Verified Identity Pass, made the wonderful statement:

"We don't believe the security or privacy of these would-be members will be compromised in any way, but out of an abundance of caution, and in keeping with a policy of always leveling with our members, we wanted to issue this warning regardless of which state law may or may not require it."

I LOVE IT.

VIP will be required to submit an independent audit, verifying that required security measures are in place, the TSA said. The agency will verify the audits before VIP can resume its Registered Traveler program, Davis added.

Gosh that's comforting.

Of course, this great security system is used to register people to bypass the "tedious" security that the rest of us go through. My confidence in the TSA grows by leaps and bounds.

Identity is a particular challenge for protecting children. In the US, a child’s privacy is protected under COPPA and, as a practical matter, mishandling children’s identify information is bad business and worse public relations. Kids don’t see it this way. They want to play games and there is nothing like a “No” answer to encourage devious behavior. When a player registers, even an adult, the goal is to deter bad behavior. The other problem that occurs is that some parents will collude with their children to “game” the system.

A good system should include both carrots and sticks: rewards and punishments. Online identity is a hard problem. Face-to-face identity is not. However, face-to-face identity is not cheap. The obvious answer is to get the user to pay for her own identity verification.

How about a T-shirt?

Delivery services offer the ability to confirm identity via signature receipt. It is fairly expensive to pay for this service purely as an identity verification method. However, consumers will often pay for receiving a T-shirt, poster, or other item. The marginal cost of adding signature verification is low and, of course, the consumer is now actively engaged in marketing your game. The worst case scenario is that you might have to convince your marketing department to subsidize the shirts or items.

On to the sticks.

An approach to handling both of these problems is an obvious, serious financial penalty for misrepresenting information and the threat of legal action. For example, the game provider could levy a $250 charge for handling and revoking a fraudulent identity. In addition, since identity theft and credit card theft are both crimes, the service provider should be willing to pursue legal action and do so pretty publicly. Both of these would be highlighted during the registration process with a clear, explicit acknowledgment. If an incident does present itself, the company should be willing to follow through. Enforce the fine, take legal action, or both. If the service provider does take legal action, they should do so publicly. Publicity will aid credibility and deterrence.

I saw the title "3,000,000 Online Poker Players Data Records Exposed" and thought, awesome, another privacy breach.

Nope.

Its a public data breach.

A software company, PokerSharksRadar, is selling a charming product. They claim to have detailed records of the playing habits of 3 million online poker players and are selling you the information to give an advantage in your poker play.

The idea is interesting. After all, many sites store the logs of game play for players (allegedly for security reasons). Why not sell it to PokerSharksRadar?

Its not private (unless the online poker room tells you it is), though it is rather sensitive if you have enough such information.

It would be kind of nice to have the detailed records, in a nice search-able format, of all of the poker hands that your opponent has ever played. It certainly would give you an advantage.

Fun.

Of course, you could do the same for pretty much any game.

Now, it would be a great idea if game companies started to have policies of not sharing players game play histories with third parties.

Tony Cabot and Michael Lipton, two notable gaming attorneys, gave a presentation on the US and Canadian views of Skill Games and Fantasy Sports, and I thought I'd share some interesting bits:

1. In the US, there are three types of random in games that can affect the legal status of the game:

a. Systemic Random - dice, cards, random number generators, and such.
b. Imperfect Information - Rock, Paper, Scissors and such where the lack of perfect information creates and environment where player choice is equivalent to random (though some would argue that Rock,Paper, Scissors may be skillful in the long term).
c. Unfair Choice - if you have a game where the outcome is based on something that is inherently unfair and so the game reduces to a game of chance. For example, a trivia game with highly obscure physics multiple choice questions given to elementary school children.

In Canada, they only recognize games with Systemic random as gambling games.

2. In the US, games are divided into 3 categories: games of chance (with no skill), games with a "preponderance of skill", games of pure skill.

In Canada, games are games of chance, games of chance and skill, or games of skill.

In both countries, if a case comes to trial, this is a "Question of Fact". So it is a factual question settled by expert witnesses and such.

3. In the US, skill games are allowed in about 30 states with a preponderance of skill, in 10 states only if they are of pure skill, and in another 10-12 states, they are not allowed at all (I don't have a list, but would like one).

In Canada, things are decided nationally. If there is an element of skill, then the game is not a game of chance (gambling).

4. Fantasy sports are allowed in both countries. Game makers should be careful to look at the structure of a specific game. For example, fantasy sports that cover an entire season are certainly predominantly a game of skill, but if the game only covers one weekend, it could be judged a game of chance.

5. Duplicate Bridge is a game of skill as there is no chance element in the game outcome.

6. If you have a contest with both a paid entry option and a non-paid option (Alternate Means of Entry - AMOE), the two versions must be truly equivalent - the term used is Equal Dignity. The prizes are the same and the AMOE is not "unfair" to non-payers.

As usual, if you are looking a skill games or contests, get the advice of an experienced attorney!

Game companies often don't have a great reputation for customer service. In particular, canceling a subscription to a game can be annoying (kind of like quiting a gym!).

This works until you run into someone who can do something about it.

Like a government.

Illinois has declared war on Final Fantasy XI. The game spurred a law that effectively has banned any online game service that doesn't give a quick, easy way to cancel:

Provides that an Internet gaming service provider that provides service to a consumer, for home and personal use, for a stated term that is automatically renewed for another term unless a consumer cancels the service must give a consumer who is an Illinois resident: (1) a secure method at the Internet gaming service provider's web site that the consumer may use to cancel the service, which method shall not require the consumer to make a telephone call or send U.S. Postal Service mail to effectuate the cancellation; and (2) instructions that the consumer may follow to cancel the service at the Internet gaming service provider's web site.

If there was ever an argument for the online game industry to form a trade association and get some "Industry Best Practices" together, this is it.

M. Fahey (2008),"Illinois Law Spurred By Final Fantasy XI Cancellation Issues", http://kotaku.com/5032004/illinois-law-spurred-by-final-fantasy-xi-cancellation-issues

(via Kotaku)

45 percent of Pre-Teens & 30 percent of Teens victims of Cyberbullying, according to a story from WCVB in Boston - DON'T USE THESE NUMBERS

I couldn't actually find the claimed survey at the PTA which led me to some further investigations of cyber-bullying and online sexual predators.

The linked numbers are a bit less dramatic, according to the Charlene C. Giannetti and Margaret Sagarese of the PTA:

1 in 17 children between between 10 and 17 has been harassed and of that 6%, one third, or about 2% found... in 2000.

The best source that I've found for real analysis of the issue is the Crimes Against Children Resource Center.

On Bullies and general issues for protecting kids online:

Some more recent data has shown that online harassment has risen to 9 percent, substantially less than the 17 percent that are bullied in real life..


On to Sexual Predators (by the way, DO READ THIS LINK, there is a lot of useful information):

For example, an often cited figure of 1 in 7 kids has been contacted by a sexual predator. The more accurate number is 1 in 25 received an online sexual solicitation from someone (not necessarily a predator) with an attempt to meet in real life.

Interestingly, most adults don't lie, they flatter the youth, but they don't misrepresent their age or interest in sex. The youth involved are not pre-teens, but typically 13-15 and the crime is statutory rape, not forcible rape.

Articles about online dangers frequently cite statistics from a 2005 University of New Hampshire study that 13% of youth were sexually solicited by online predators. (This statistic is sometimes referenced as coming from the National Center on Missing and Exploited Children, which funded and published the study).

As the authors of the research upon which these numbers are based, we believe these statistics often have been misunderstood. The following points are important caveats that those using or quoting this statistic need to understand in order to avoid further confusion.

1) These solicitations did not necessarily come from “online predators”. They were all unwanted online requests to youth to talk about sex, answer personal questions about sex or do something sexual. But many could have been from other youth. In most cases, youth did not actually know the ages of solicitors. When they believed they knew, they said about half were other youth.

2) These solicitations were not necessarily devious or intended to lure. Most were limited to brief online comments or questions in chatrooms or instant messages. Many were simply rude, vulgar comments like, “What’s your bra size?”.

3) Most recipients did not view the solicitations as serious or threatening. Two-thirds were not frightened or upset by what happened.

4) Almost all youth handled unwanted solicitations easily and effectively. Most reacted by blocking or ignoring solicitors, leaving sites, or telling solicitors to stop.

5) Extremely few youth (only 2) were actually sexually victimized by someone they met online. This number was too small to be the basis of a reliable estimate of how many youth in the population get sexually victimized from online meetings.

Nonetheless, we were able to make estimates in the study of some of the more serious types of sexual solicitations. We prefer citing the statistics about these as more representative of threatening or dangerous situations that youth encounter online.

1 in 25 youth (about 4%) got "aggressive" sexual solicitations that included attempts to contact the youth offline. These are the episodes most likely to result in actual victimizations. (About one-quarter of these aggressive solicitations came from people the youth knew in person, mostly other youth.)
1 in 25 youth (about 4%) were solicited to take sexual pictures of themselves. In many jurisdictions, these constitute criminal requests to produce child pornography.
* 1 in 25 youth (about 4%) said they were upset or distressed as a result of an online solicitation. Whether or not the solicitors were online predators, these are the youth most immediately harmed by the solicitations themselves.

Reports and papers about this study, information about other research we have done, and contact information for the authors are available at our website www.unh.edu/ccrc. Please feel free to contact us if you have questions about any of our research.

No one is suggesting that these problems should be ignored, but it is important to get the real answers and use real numbers.

Everybody makes mistakes. We all commit errors, take our lumps and move on. However, it is bad business when you take your customers down with you. Yahoo Music is shutting down, unfortunately, and not surprising. What is more than disappointing is that the company is "unselling" the music that it sold to its customers by shutting down its DRM servers in the end of September (reported by Nate Anderson in Ars Technica and elsewhere).

What are they thinking?

How likely do you think these people are going to be to EVER buy ANYTHING from Yahoo again?

Just how expensive is it to run DRM servers? Did they consider selling the servers to someone else? Transferring the customers and their keys? Create any sort of transition for their users?

Microsoft made a similar announcement a while back with its MSN Music service (though they are keeping the servers up until 2011 - what happens then?).

These kind of moves do more to settle the case against DRM than anything else. It shows a total lack of concern for your customers and pretty much confirms that the real goal is to radically change the notion of ownership of media.

Is this necessary?

Of course not. As noted above, why not provide an orderly transition to another service, keep the servers running, or otherwise compensate your otherwise loyal customers.

Or you could just give them their music.

2K Games recently turned the DRM service off for Bioshock (via Destructoid). This didn't result in the game going away for the paying customers, the DRM turned itself off and left the players with a DRM free existence.

Any serious DRM product should have a way to be disabled (of course, this does make me wonder how to convince the software to turn off the DRM, but that is a discussion for another day).

Farewell, CAPTCHA. Completely Automated Public Turing Test to Tell Computers and Humans Apart... doesn't.

As more and more busineses have come to rely on CAPTCHAs, it has become more and more valuable to beat them.

And, where there's a dollar, there's a way, as seen in a superb article by Steven J. Vaughan-Nichols in Computerworld.

A tool to automate postings at Craigslist, CL Auto Posting Tool, costs a mere $99.

And there's more:

Optional Add-Ons
**NEW** Word-Verification Bypass Add-on. Read More > $99
Automatic Repost Add-on. Read More > $99
Proxy IP Add-on. Read More > $99
Automatic Posting Scheduler. Read More > $99
**HOT** Backpage.com - Post your same ads automatically to backpage.com! Read More >
**NEW** Word-Verification bypass for BACKPAGE addon above! $99
$49
**NEW** Auto Dialer - automatically redial your modem for a new IP address! Read More > $99
CL Emailer - automatically find and contact leads! Read More > $99
MySpace Account Creator. Read More > $99
Yahoo Account Creator. Read More > $99

Nifty, huh?

This isn't the only tool, there are competitors. Some free.

Some games have moved to use CAPTCHAs to detect bots (an odd idea, one would think a good game would BE a CAPTCHA), so these attacks should easily migrate into games.

Reputation systems and other online services are also targets.

Caveat Homo Hominis - Let the Human Being Beware!

The Polaris poker bot beat its human opponents in the 2008 Man vs Machine Poker Championship according to StoxPoker.

The rise of decent poker bots could be a real threat to the online poker business if players suspect that they are losing to machines and not people. While MMO players may be annoyed about bots farming gold, poker players will be more than unhappy and, at worst, could abandon the game.

The bots only need to be "strong" not perfect, as long as they win more than they lose, they can be quite profitable. A real human can cover a large number of parallel tables to make sure the bots are doing well and handle any "anti-bot" measures... just like in a gold farming operation.

Poker farming, anyone?

Online gambling operations depend on their reputation to keep their business and acquire customers. There are numerous regulators available and game operators can "shop" jurisdictions. For a long time, the only jurisdictions that would license online casinos were certain Caribbean and South Pacific countries and some Indian tribes. Now, with countries like the United Kingdom establishing regulatory systems, there is more and more competition for regulators.

Just as with gaming operations, the reputation of regulators is key.

The Kahnawake tribe in Canada has been regulating online games through the Kahnawake Gaming Commission since 1996. Two recent scandals at Absolute Poker and UltimateBet Poker (see previous articles) have called its supervision into question.

Last week, the Kahnawake Gaming Commission responded to these problems with a press release:

KAHNAWAKE GAMING COMMISSION

Mohawk Territory of Kahnawake
July 23, 2008

Kahnawake Gaming Commission (the "KGC") has been continuously regulating online gaming for over 9 years – longer than most, if not all, other jurisdictions. During that period of time, the KGC has proven to be a world leader with regulations and methodologies that have established a regulatory environment in which online gaming can be conducted fairly and securely. The KGC's success as a regulator is evidenced by the fact that a significant percentage of the online gaming industry has chosen to locate and operate within Kahnawá:ke. Given the length of time that it has regulated this new industry and the significant number of licensees under its control, the KGC's record has been exemplary.

As commentators have correctly noted, even the most well regulated industries are not immune from abuse. Examples can be found in the banking, securities and land-based gaming industries. The fact that the online gaming industry is new and is technologically driven creates additional regulatory challenges. Throughout its history, the KGC has met these challenges and its regulations have been emulated in a number of other jurisdictions around the world.

Over the past several months, it was discovered that individuals within two of the KGC's licensees – Absolute Poker and Ultimate Bet – had created and carried out a scheme to cheat players. In both cases, the improper conduct of these individuals was brought to the attention of the licensees, and the KGC, by affected players. The KGC acknowledges the diligence and sophistication displayed by these players and the role they played in bringing these matters to light.

The first case involved Absolute Poker. After a thorough investigation carried out by the KGC and its agents, Gaming Associates, the KGC rendered its decision in this matter on January 11, 2008. This decision concluded that the cheating that took place was not initiated, nor did it benefit, Absolute Poker as a corporate entity, or its directors or principal ownership. The decision imposed a number of sanctions and conditions on Absolute Poker, including twenty-four specific directions for changes to its management and systems. The KGC was provided evidence that all players affected by the cheating that took place were fully reimbursed for their losses.

Shortly after its decision was rendered in the Absolute Poker matter, the KGC first became aware of similar allegations of cheating involving individuals within Absolute Poker's sister company: Ultimate Bet.

Over the past several months, the KGC has been closely involved in an in-depth investigation of the Ultimate Bet cheating allegations. Significant efforts have been expended to identify and correct the flaws in Ultimate Bet's system that permitted the cheating to take place; to identify the individuals that were responsible for the cheating and to ensure that all affected players were fully reimbursed. Unfortunately, the KGC's actions were not well communicated to the poker industry or public at large, creating an incorrect perception that the KGC was 'doing nothing'.

The KGC's investigation into the Ultimate Bet matter has yielded a number of key findings which, within the next several days, will enable the KGC to issue its decision on the appropriate steps to be taken.

It should be stressed that the KGC's primary concern throughout both matters was to ensure that affected players were fully reimbursed and that corrective measures were implemented to prevent against any further incidents of cheating. Both of these objectives have been accomplished – as evidenced by the fact that the recent concerns that have been raised about the Absolute Poker and Ultimate Bet matters are not being driven by affected players.


Murray Marshall
Senior Advisor
Kahnawá:ke Gaming Commission

(via Poker Cheating and Casino Cheating Blog: American Roulette)