At work I'm currently researching systems and process automation for our internal servers. I have also been researching distributed datasets and am currently looking at the Cassandra project. Other things that have made it to my brain: Heartbeat, Linux Virtual Server, and DRDB for High Availability solutions.

So what about when I'm not at work? Believe it or not, Web-based RPGs have played a big part in my "off-work, on-line" time for awhile now, so I guess I'll update anyone who is here from any of those games: I've quit Bootleggers. Roderik, if you read this: Keep my points, haha. The short story is that I had been IP banned (due to a mis-understanding, not due to anything malicious) but there was a bug in the appeal forum's authentication that allowed anyone to access the details of those bans. This made my ban public knowledge. While Sabin was certainly kind enough to fix it as soon as it was brought to his attention, I decided that it made a good "walking away" point.

So what's next? Well, I've been playing Downtown Mafia as well as doing some game development of my own. I'm currently writing a code-base for some web-based RPGs I have had ideas for. I may eventually try to sit down and learn ActionScript/Flash/Flex and start making my games a bit more... "immersive" but, for now, regular HTML (with maybe a little bit of JavaScript) will suffice. And of course, with web-based game development comes web-based game development research...

Web-based vulnerabilities have always been a priority for me, and the best way to find interesting ones are to exploit these web-based games. I'm not talking standard stuff like SQL injection, that's more or less the same everywhere. I'm talking about games relying on client-side security (yeah, I'm talking to you, DTM) and strange implementation or language specific bugs.

Most of the time, weird implementation or language quirks are just thought of as bugs in no real context of security. However, in most web-based RPGs, this is different and they should be treated with the same severity as any breach of business continuity. Web-based RPGs are virtual "worlds" with their own community and most importantly: their own economy. The way game operators (often known as "Admins" in game) make their money is by selling a virtual currency for real money, generally known as points. Whether they are known as points, credits, gold, or Lindens the concept is the same: This currency can be exchanged either with other players for objects or services or back to the game for special items or features only available with these points. Any bug, whether it's a serious SQL injection vulnerability, or a "minor" logic bug that allows players to unfairly advance in the game should be fixed immediately (like security vulnerabilities) because unethical game play will ultimately lead to un-happy customers and reduced revenue.

In extreme cases, entire in-game economies can be ruined as well as the experience for fair-playing players and paying customers. This may lead to a "reset," in which the database is wiped clean and the game starts over from the beginning. On one particular game, if there was a reset then players would be awarded any points that they bought during the entire previous round. I'm sure this mean a very long period of time of minimal revenue for that game owner. :(

This is just one example of what would be a minor annoyance in some applications having the potential of becoming a business killer for others.