 My name is Ferdinand Trover and I'm a researcher, security researcher to be more precise. I used to work in the game industry and I took a look at the general state of security in the game industry and that's the presentation you're gonna see today. It's pretty scary what's out there. I'll take questions at the end, so if you've got anything that's pressing, please write it down, remember it at the end. Okay, let's get started. I want to give you a quick idea of how this talk is gonna be structured. First of all, I'm gonna talk about the history of games which explains kind of the mess we are in. Then I'm gonna give you a quick idea of what the gamers out there are thinking and if you're a gamer yourself, you probably have a slight idea of what's going on there. Just out of curiosity, who plays games in here? That's what I expected. Yeah, who doesn't? Anybody? Then I'm gonna talk a bit about the developers that actually make games because it's interesting to go a bit into their mindset and look at the specific challenges that they actually have compared to a regular developer. It's not too vastly different, but it's interesting to look at. The next step is what is crystallizing to become game engines. Think of it like the backbone of the game that in the future will be shared between multiple games for mostly financial reasons. Then obviously, once you see how bad this is, the question is what do we actually get from it? Profit. And then I'm gonna take a quick look at the malware that's out there which is quite interesting and very surprising. And then I'm gonna go into what I call games 2.0. You'll see what that is in a bit. And then I'm gonna go into an exercise in exploits. The thing to note about here, I kind of like neutered this because I didn't want to go into anything that you could really replicate out there because it will just get me in trouble. Sorry. Okay, the clarifications before I go into the talk is I'll be talking about PC games. So if you have been thinking about your console, sorry, I tried to scope this down because there's so much to talk about and I cannot touch everything. In the spirit of this, I'm also gonna look at non-casual games mostly. This is like the games that you actually buy at EB that you pre-order that you pay premium price for. Think of your call of duty, your crisis, something along that line. I'll also not be talking specifically about web-based games. There is a lot of things in common here and they're kind of merging together but so far I'm gonna stay with the client view on the PC. I also won't be genre specific so I will look into shooters, MMOs, what have you. For the MMOs themselves, I'll be looking at the client only for now. There's a whole slew of problems that you get with the server if you actually just think about your own client that you attack the server with. Since this is not directly exposed to us, it's more interesting to think around on the client for now. Here you see the historical development of games in a very visual aspect between the late 1990s and 2008. Does anybody have an idea of what the left game is? Anybody? Yes? And the right game? Perfect. So historically, games in the late 1990s have not been mainstream. Nowadays they actually are. If you have been paying attention to the news coverage for GTA IV, you'll actually note that the first review for GTA IV was in the New York Times. This is pretty indicative of where the whole industry is moving. In the 1990s, you used to have nerds play their own niche video games, which I kind of miss now. And now it's just this mass market phenomenon. This also explains why the costs of games or to produce games have exploded. You used to usually get a game between like two to three million dollars and I'm talking about the really popular games out there that are selling a lot. And nowadays you have to almost tenfold that. I mean, you're talking about 15, 20, sometimes even 40 million dollars. The development time on the other hand has not increased significantly. Gamers still want their newest iteration of their game to be released roughly in a one to three year cycle. And this is actually one of the problems already because you see there's more pressure on the development team. You need to reuse more code. And in general, you just don't have so much time to pay to engineering and proper security practices, for example. This also ties in with the publishing that you have and the publishers for the people that don't know. That's usually a company that takes the games from the developers, pays them to develop the games, will give them a cut of the profit and does everything like the marketing and so on. Nowadays, you pretty much have three major publishers and the biggest one is EA. You, because of those three publishers, you have a lot of homogenization, homogenization. Street give out. Which pretty much tries to toss everything into one bucket and you'll see more of that later on. Earlier you had a lot of custom graphic solutions. Every game came pretty much with their own engine and the only thing you shared was the low level graphic stuff that you still have to share now. Nowadays, you are pretty much limited to a set number of engines. Either, you usually have two choices. You'll either reuse the engine that you've used in the previous game because most of the games nowadays have sequels. So for example, this would be, if I use a name, Splinter Cell. Splinter Cell has used the same engine for all installments. They've upgraded it, but usually they've used the same engine or derivatives of the same engine. The other engine type that you have is you just have an engine that is something that is shared between multiple games. So for example, you have the Unreal Engine that is shared between multiple games that do not have something in common. The number of those games, the number of those engines is actually dropping significantly and that's due to the fact that it is very expensive to build an engine and people want to share it. The problem with this is obviously, one exploit on one game binary, more specifically on one engine, will cover multiple games. This is just the fact of life if you use the same engine. Middleware and for the people that don't know who, what middleware is specifically, it's usually something that you drop on top of your engine or in general on top of your game that provides extra functionality that you can't create yourself. It's typically AI, physics or something along those lines. Used to be not that prevalent back in the 90s. Nowadays, you have to have it in every game and that's partially also due to the gamer. We have like an increased sensibility about we want to have neat physics in games, we want to have awesome AI and it's the game developers simply don't have time to do this. Yet again, if you use the same middleware across multiple games, if you identify the binaries, you can just attack multiple games with one simple exploit. Now looking at the distribution of games. Back in the 90s, you used the physical media pretty much. That's like 99%. Nowadays, you see the advent of digital distribution of full games. It's a bit tricky because they're big, so downloads are long, but it's mostly due to piracy, which I'll talk to about in a bit. You have two big delivery mechanisms right now that are pushing really for the market and that's games for Windows Live and Steam. Steam being significantly bigger at this point. You have this underlying game platform that basically allows you to play the game, unlocks the game and to some extent imposes some artificial restrictions on the games. But they also allow you to go into something that's bigger than the game itself like a community and that's what I call games 2.0, sort of like web 2.0. The thing that I don't like about this is you have content protection on top of those platforms which is an artificial restrictions, which gets you into all kinds of trouble. And you have automatic patching, which is awesome for the noobs out there, but if you actually realize what automatic patching is, then that can get you into big trouble once you actually figure out some way of exploiting automatic patching because then you have got an awesome delivery mechanism to just push your exploits out. Hand in hand with this, you have back in the 90s offline games. You had the advent of MMOs, they weren't very common. You had your Altima online, your first step in that direction. And you had a lot of multiplayer games out there that were your typical shooter. Nowadays, online is default. Pretty much every game ships with an online aspect. If you don't have online, it's not a real game anymore. And MMOs are huge, hands down. Like for example, wow. The problem with this is if you're online all the time, everybody can track what you're doing. You just need to have a packet sniffer. You can see when they're connecting to, for example, the game platform. You can see when they're connecting to the Vow server. You can see when they're just doing anything over the network. You don't even need to break the encryption on it or the protection on it. You can just develop usage patterns out of sniffing the network. Looking at custom content, which is also one of the problems that it's good and it's bad. So I don't wanna speak against custom content here, but the problem with custom content is that it opens up this whole new attack vector. Back in the 90s, you had a very limited group of people that constructed custom content and it was for editors that were put on top of the game as a pure bonus. You needed to have a significant expertise, actually getting those to even run and work correctly. While on the other hand, nowadays games pride themselves on having an editor. They're games out there that are virtually just a sandbox that allow you to just create anything and share it with the community. I won't say any names here because then people will get offended. But in general, the problem here is that you take content, you integrate it into the game and you have this awesome delivery mechanism that if you figure out how to exploit content, you can just push it out for free. You just put it onto your game world and it will be pushed to all other people. It's also interesting to note that you have XMLification of content, which means that everything that is bad or good about XML comes with that. And since game developers love to have the quickest algorithms out there, they will be probably tempted to write their own XML passes, which we know is not necessarily a good thing. But in general, the biggest problem here is the automatic polling. If you give people the option to download it manually, which is an inconvenience, then you have at least some level of protection there. But automatic polling of content just gives you a delivery mechanism. The same applies for community. Back in the 90s, you had a community that was built purely around web. You had a couple of portals opening like Battle.net, for example, but it was mostly web-based stuff. Nowadays, you have this gaming platforms and they pride themselves on giving you community. Actually, for some of them, it was more like an afterthought because they originally were created to protect the content. And here, it's very obvious. You don't even need to play a game to log on to this. So you might be playing a game that you think is purely offline, something that is single player and you don't touch the network in your mind. But underneath the hood, the game service actually connects up. And for example, for Steam, if you haven't been online for a week, you're locked out of all your games because it needs to verify it again, it needs to pull down the keys and so on. And again, I can see what you play in detail even. So what did not change over time? Game developers are still spending a lot of time to making it pretty, pretty sells. I mean, that's just the fact of life. If you get a game out there and it has under a sticker, awesome engineering look at how good our game architecture is, but it looks like crap, you probably won't buy it. Security is not a major concern because my favorite quote here is like, it's just a game, right? What should we worry about security? And because of all the pressure that you have, you also need to use significantly more middleware in production of these games. The other problem here is also that games are not really stable, which lowers the bar kind of a bit for attacks because if you're a test manager crashes or your internet browser just goes down, you might be kind of suspicious. But to be honest, how many people have seen games crash constantly? It's not really that far fetched to have just a crash because it was poorly coded. Patching is because of this also common, either for stability or for new features. Usually most of the patches are for both, but it's not for security in most cases. Hacks, cracks and trainers are also still available pretty much throughout the network. You just go onto Google, you type in your favorite trainer for a game and you will just get it. You type in a game and say no CD patch and you will usually find it. It's very hard not to find a game that doesn't have these. But while this might be something awesome that saves you from always putting the disk in, assuming that you have legally purchased it, do you really trust the guy that actually wrote this? Do you think the guy in Russia that provided you that kind of executable or that patch didn't put anything in there? Most gamers will just download it and be happy and never worry about the consequences. And this ties in with piracy. A lot of those online platforms like I talked about have been built not because there are new features, there's something cool for the gamer, but because companies wanted to protect their investment and wanted to have something where they can prevent you from actually going ahead and just ripping this from a disk, dropping a new disk patch on it and go. So a lot of those platforms were just built for the wrong reason. It's not pretty. Now let's take a look at the gamer and that wasn't a gamer by the way. Generally PC gamers are significantly more hardcore than your average console gamers. That's why I kind of like this market more than the console gamers. You actually need to have significant expertise to get a game running. This is decreasing over time and developers try to make it easier, but it's still true that you need to have knowledge of your operating system, of your configuration and so on. You also usually have significantly higher hardware than your base market out there because you need to have a decent graphics card, you need to have a decent hard drive speed, memory, you usually need to tinker with your OS. In general, the system is beefier. Gamers also tend to, or they really hardcore market I should say, tends to tinker around with the settings on their OS quite a lot. They will disable pretty much anything to get more frame rate. And this is usually all the security features and everything else on top of that. They will run it in the mode that will get them the highest performance, which in general is administrative mode. And I'll get to this in a bit, which is obviously not good. The other thing that is interesting about PCs from a security standpoint is, and that hasn't changed over time, it's only increased is that it's a multi-purpose system. You use your PC to play games and you use your PC to do your online banking theoretically. I mean, if you trust your PC enough, but that's what people out there do. You do it for shopping. There is a wealth of personal information up on your PC. And so it's not like a console where you just pop the disk in and if you own the console, you have like a box sitting out there. You have all that information that's stored there and you might even be able to siphon more information out of it. Speaking also to what I said earlier about the crashes, the gamers are generally not paranoid, especially if they tinker with their system, if they overclock their hardware. They're just used to having stuff blow up on them because they overclocked it because they disabled some service that the operating system desperately needs. And they're also used to frequent patching. They will usually drop custom content on there as long as it's pretty, like I've already said. And they really think what harm can it do because it's not executable, right? I'll just drop stuff on there. It won't harm my system. It's just a texture. Well, we'll get to that. Games also need to be run by default with the highest privileges. Luckily, I must say, this is changing. Back in the day, all games were just admin only and if you didn't run it as admin, they would break badly. And so once you own a game, you've got admin rights, everything is over. Nowadays, this is actually shifting and I must say thanks to Vista because you don't really want to play a game that halfway through pops a ULA dialog up and asks you, UAC, excuse me, dialog up and asks you for do you really want to do this? So it usually runs in limited mode which actually helps you for security quite a bit. Most gamers also spend more time online which just makes them a bigger attack surface because you are even forced to be online with those platforms. You don't even have a choice and that's the thing I personally don't like because you're stuck with the system if you like it or not. If you don't have an internet connection, you might be able to play your game for a week but in the worst case, you might not be able to play it at all. The other thing that's also true about gamers, if they have the choice between cool hardware or an increase in performance, they will take that over security. They will take something pretty and fancy. On the other side of the fence, you've got the game developers. They're pretty much like any other developer that means they still make mistakes like all humans do except if they would be cyborgs but yeah, we are not yet. They're also under severe time pressure. They have hard deadlines. They need to make Christmas most of the time or some other date that the game publisher usually has said or they have said because then they'll just run out of money. This is true for other software as well but here it's critical and it makes or breaks a game company to be able to do that. Most games still run late which makes you kind of worry because you have games that are under severe time pressure they can't do a lot of like in depth engineering and then they still run late. This also talks to the usage of canned code because the more canned code you use, the faster you will be able to push out a game but you can't really review that canned code. The game, excuse me, the developers also love the latest and greatest and I've doubted this the shiny complex and I've seen this over and over again. It's kind of amusing. You have the developer, they home in on something that they think is really awesome because it's this newest feature. They might even home on it like three weeks before they want to ship because they just saw this awesome thing that adds like sparkles to the main character that looks awesome and gamers will just drool over it and while it seems like a cool idea to like get that out there and push it to the gamer, it causes a slew of problems. It does not help with the schedule and the testing which it does doesn't make it more secure. Quick design usually means that you have quick exploits and quick coding usually means you have significantly more bugs. Moving on to the engine. In 2007, there were roughly 810 PC games out there and this is based on Wikipedia numbers so this is roughly accurate. Hopefully, if you trust Wikipedia. 42 of those games are considered major selling games and to give you an idea of what this means this would be like crisis like we've seen earlier, your call of duty, something along those lines. The results are actually interesting. Down on the right you have the graphics engines and 30 out of those 42 major selling games were reusing some kind of previous engines. In these 30, there are the three major engines that I talked about that are also used across games at the moment it hasn't crystallized out yet but you see the push more and more towards having a reduced number of engines there because it's not economically feasible to create your own engine. Only 12 games had a custom build of whatever engine that was used for one game only. Most likely if they get into a second iteration they'll reuse it. On the left, on the right side you've got the distribution platforms and this is kind of counter what I said before in terms of games being more and more digital but you need to understand here that about a year or two years ago this would have been 99% only media like disks. Nowadays that little chunk that is like 130 or 138 games of digital media is just exploding. I expect this to be by next year probably twice the number and the year after that even more. It's just huge and big and coming because both the developers and the publishers have realized that that's the best way to curb stomp piracy. And as you can also see here the biggest platform at the moment is Steam. Game engines usually look a bit like this. You've got the usual stuff that you would expect for game engines to have here like graphics, animations, physics, audio and so on. While you note here that physics usually is a third party it might also come with the engine. The other thing that's interesting here is the scripting language. You've got a scripting language in most games that allows you to do specific stuff and this might even be a C derivative or something that's very, very close to C underneath the hood that runs in a sandbox. Well, you might already guess the problem. No sandbox is perfect and this can cause huge issues if you manage to exploit this or just get full disk access with this. The things that are new here is in-game ad systems. For example, in-game ads are up and coming. It's still a question if they will stick around because if you run through the magic forest and suddenly you get an advertisement for Coke on a billboard it probably isn't that good. But if you play Madden and the ads and the background are actually real ads that are served to you in real time you probably don't care. So there's still some shake out to do but this is probably gonna stay around because it's just another revenue stream. The other thing that is definitely gonna stay around and is new is the online platform. And this is so wide at the bottom because this goes across the whole engine. This might even in the future be integrated into the engine. At the moment this is still third party so they add it onto a game but in general it's just something that really is gonna stick around. Another thing that's interesting about engines is that fixes by users and users in this case are the game developers. They are not shared because you usually patch games not engines. And you might have fixes that are even custom to the developer or the game. So even though they might have found and exploit in game A that they release, game B might not be able to fix it with the same patch and it's just too much effort. The other thing about game engines that's interesting is that the binaries are not hard to trace. You can just go ahead, go into your favorite game directory, go down, try to figure out where the physics engine is once you have got a name for it, click on the properties and you will have the file version there. This file version is usually indicative of very detailed information that you can get out of. So for example, if you have a file version 1.5 there and the next game has a file version of 1.5.1 then it's very likely that the exploit you just found in 1.5 is also applicable to 1.5.1. And sometimes game developers will just drop this onto their games so you don't even have to worry about different changes in the binary although they have the same version number. Like I've already said, shared engines provide easy exploits, middleware and so on. The thing that I want to add on here is that customization of the game engines that developers actually do for performance reasons might actually help you here because they could obfuscate one of some of the problems that you encounter. So the question you might ask is, can we patch the engine? Can we have something where we patch the underlying fundamental problem and then just be done with it? Historically you patch games, not engines. It might not be a bad idea in the future to look into some kind of mechanism to patch engines but that would require developers not to modify engines and at the moment I think they couldn't make the games as pretty or fast if they would just stick with a generic engine that works for everything out there. In some cases the engine developer or the game developer might be the same development studio so you have an advantage there but in general this is not rolled back into the overall business. So if you look at an engine that's used by two different game developers and published by an engine developer then a fix from one of them will usually not be pushed over to the second one of them. At the best the engine developer will actually get some kind of hint that there is something wrong and fix it in the next version. And again automatic packaging can be spoofed too. Well the question now is where's the profit? It's just a game, there's nothing to gain, right? Yes. Profit here is two-fold. You've got the game side and you've got the system side. On the game side the first two points might be pretty obvious depending on the game you're playing on. Griefing and cheating, that's usually not something that I don't really worry that much about. It might piss you off terribly in game you might wanna drive down to the little kid that just like cheated the heck out of you and gave his head in. But that is not that much of a problem in comparison to your payment information, your full personal information. All your virtual assets that you spend hours countless of hours creating in the game or even that you spend real money on buying in the game. Think of something like Second Life. On the system side you have pretty much everything you can gain from hacking a regular system. And like I already mentioned a bit earlier is systems of gamers are usually significantly beefier. You have better hardware, they are better staging system. You have a broadband network connection. It's just a cool place to start out from and do more malicious stuff from. Virtual economies are the other thing that you can get huge profit on. At the moment there are about 14 plus million MMO gamers out there which is huge. And to give you an aspect here, I think 10 million of those actually involve the for craft. It's quite insane. The user base is a huge target for malware. I mean there's just tons of stuff out there. And those virtual economies obviously also create a significant stream of revenue. On one hand you have the stream of revenue that is directly to the game publishers and the game developers which is the monthly fees. But you also create a lot of money through game assets. I mean you had this whole discussion about one and a half years ago about taxing in game property. That's because there's so much value there. You spend time, you create wealth in the game that you can actually sell on eBay for example. And the other thing that you might spend money on is services that are rendered to you which is gold farming, auto leveling and stuff like that. And this revenue is in real money. It's not something that you can cash out on. This is especially true for in-game microdance actions. There are a lot of games in Korea actually. It's really popular there that you get free games. And then you actually pay for pretty much everything that you have in game with microdance actions. So you might be spending without noticing hundreds of dollars on a little game with fluffy pink balls, I don't know. There's some interesting stuff in Korea and MMOs if you're interested. Obviously this means that in virtual economies every exploit can get you quick gains. Stealing assets, selling assets that you have just acquired, leveraging players accounts, just creating games, creating assets in the games that you will sell later on. And obviously they're all important payment information. That's why usually developers of those games are really easy to react if there's anything wrong with their server or their service in general. But they usually are slower to react to actually fix something like exploits on the client that will just own your information. And this brings me directly to the current malware. The top of the line malware that is out there at the moment and the biggest chunk clearly is the account stealers. These are small little malware pieces that go ahead and will just try to grab the account information for MMOs and they usually span multiple MMOs. There's a lot of different stuff out there but there are eight big families. And the scary part here is that according to the Microsoft Malware Protection Center and if you don't know who those guys are those are the guys from Windows Defender that little thing that chips with Windows by default have identified in June alone 2.5 million systems out there which is 18% of the user base of MMO players that had been infected with account stealers. It is unknown how many accounts have been stolen from those because sometimes these accounts are just leveraged to post something to a message board or something like this. But this is a huge number and there are indications that for July this number might be twice as much and that's just the stuff we know about. That's not the stuff that we haven't noticed yet because it's not covered in those eight families or it's very well hidden. The propagation of this type of malware is actually not that complex and not that tricky. It's mostly done through the community, through community sites, through social engineering, through what you usually would expect from malware. There's nothing that pushes it automatically to your system in most cases. It's pretty straightforward. This is pretty much the state we are in right now with malware. Now moving on to games 2.0 which is something that's very dear to me because I like privacy. Games 2.0 to repeat are the games that are fully integrated with online platforms for example MMOs or games that run on anything like Steam or games for Windows Live. The privacy concerns here are mostly that the system knows when the game is run and it is required to unlock the game which is purely something artificial that is done because there are too many people out there that will just pirate the game otherwise. The online status of a game is usually published and you might be able to deactivate this but underneath the hood the system always knows if you're online because otherwise you can play it. It might be even underneemers underneath the hood but you can still sniff the network and find out when people connect to the service and voila, you've got a full nice user profile. The other game, the other part of this that's interesting is that all of those systems or most of the systems actually keep some kind of track of what you have done in the game like achievements or something like this. This allows you to create a nice user profile sometimes even with time slices. So if you have discovered that little kid that just pranked you earlier, you could look into his user profile, figure out when he's not at home and torch his house or something like that. I don't recommend you do that. Also a list of friends is very easy to obtain. That might not be real life friends but you might be able to with this list of friends relatively easy socially engineer somebody and drop even more malware on top of him. Basically you get everything from these platforms that you would expect to get from a social platform like Facebook and you get significantly more too. It's hard to get or almost impossible to get around this. You have to do this and that's the thing that bugs me. If you want to play those games, you have to be part of this platform. You cannot opt out of it unless you say I'm not playing this game. Well for a social platform you always have the option to opt out. Now to something that should be pretty interesting. Exercise and exploits. I've got three examples here that are not necessarily something that you could do right away but it should give you a rough idea of how the biggest exploits are in the games right now. And I'll start off with the little nude patch that could then go to the post and then give you an ad from hell. Well this is an engine exploit or a scenario for an engine exploit. So the idea here is that you've got Alice who plays this game and she's not happy with the scene on the right for purely academic reasons. And she goes up to nudepatchworld.com which by the way it doesn't exist right now so if somebody in the audience wants to start a business go ahead and finds a patch that has been provided by Bob. She looks because she actually knows about threats that could come through patches like this. She knows how to disassemble them and looks through them and she actually finds that there is a character file and a modification to her game settings that will reference that character file. And the character file only seems to contain a texture so no big deal, right? She drops it in there but actually as it turns out Bob just pwned her machine and Bob just pwned her machine and is enjoying her credit limit. So what happened? Looking deeper into this you had the character file but the interesting thing here is that there was script code in there because as I mentioned earlier engines also have script engines in there. And this script code is actually the problem. It's executed in the game with the game permissions and that's usually administrator even on new systems and it also is crafted so it gets executed before the model is loaded. And ideally if you want to be sneaky about this executed once and once only. Well, script code is run in the sandbox, right? So this shouldn't be a problem. Not necessarily. Because the script engines are highly complex and can cause severe issues if they're not engineered properly. It is just a matter of time until you find something that allows you to get access to something deeper down. So grab your favorite fuzzer, run it on the scripting engine and you will find something. Ideally this will just allow you to create a one-time hack but you might even be able to do something significantly more sinister. And once you're there, you own the box because you're usually already administrator. The next one is social engineering which is the biggest one out there like you've already seen. The scenario is that Alice is playing an MMO with roughly nine million users, no names here. And she goes to the message boards and browsers them quite a lot for information. There's a little flash tag in one of the posts that she is looking at and there's nothing specific going on. She responds to that post and suddenly Bob actually has all her account information and everything. And he also uses that account to make more posts. The problem here is very, very straightforward. Bob just exploited a flash vulnerability and this is actually critical because even if your game is secure, your website might not be. Or even if you have patched your game to be the safest thing on earth that nobody can hack even if they are totally lead and have awesome skills. You could still have a user out there that runs the crappiest browser on earth and gets pwned immediately if you just sneeze at the browser. And so, securing games is not everything. This is actually to some extent outside of the hand of the developer and that can be a very big problem to as some MMOs have experienced. And the last thing here, and I'm blazing through this in the sense of time, is a middleware exploit. The scenario is that Alice actually has her favorite game and it just got in-game ads, like you see in the screenshot. This is provided by middleware. Well, Bob uploads a custom image to the middleware and he might do some sneaky stuff so sneak it into the system, he might just purely upload it. But the interesting thing is that whenever Alice views the picture, she crashes and what happens underneath the hood is that Bob just pawned her machine. And by the way, this is true for everybody that watches that image. Well, what happened? And this is what you might have already expected. There's an image rendering flaw in the ad system and one flaw covers all gamers because it's an automatic delivery system. And the user can only prevent the attack by not playing the game. The biggest problem here is that one exploit can put the whole cloud at risk. You've got this automated delivery system and you also have to make sure on the back end side that nobody is able to either spoof this or upload stuff. And this is sometimes really critical because developers will not necessarily think immediately about their bad implications because if I've got enough money, I could just make up a bad company, submit something to them and pawn the whole cloud. By the time they figure it out, I'll be on the Cayman Islands and enjoying my new accounts. So in-game advertisement engines also have additional code in there that will tell you when, where, how and who watched pictures and that just increases their tech surface. This is pretty much the end of my talk so I'll open the floor to questions. Anybody? Go ahead. I haven't seen anything specific so the question was if anybody has done an analysis on the EA's ad system. I haven't seen anything specific for this but it would be very interesting to take a look at that and see how they're actually filtering their content which is to some extent not exposed to the regular use out there because you're just on the receiving end. Anybody else? Cool, thank you.