Thursday, November 15, 2007

In plain English

The post "A storm is brewing" was technical in nature, and was not particularly intended for the audiences it actually received, and as such, a lot of readers did not understand the items at issue.

I'll attempt to make clear and concise statements to help clear things up, and point to the real issues.

  1. Warden is a piece of software that Blizzard Entertainment uses to help protect World of Warcraft (WoW) from a world of cheaters and other perceived enemies, since its inception in a patch of the game on July 12, 2005.
  2. I am regarded as one of the most knowledgeable individuals outside of Blizzard Entertainment on the topic of Warden, and have first-hand knowledge of Warden through reverse engineering nearly every minute detail of the software since its inception.
  3. Warden as a whole is composed of three basic pieces: a piece on servers run by Blizzard, a piece in the World of Warcraft client that remains there until patched with the rest of the game, and a piece sent during the WoW login process that can also be replaced any time afterward
  4. The piece sent during the WoW login process is the piece generally spoken of as simply Warden (and this is the piece I will refer to as Warden hereafter)
  5. Warden is polymorphic. What this means is that they generally create one set of functionality, and create hundreds of non-identical copies (which I will refer to as permutations) of it that produce the same end result. The reason for being polymorphic is to make Warden marginally harder to circumvent, and harder to detect when Warden has been updated with new functionality.
  6. There is typically about 318 permutations of Warden in distribution at any given time, according to our tracking information. This may be different as of the last few days, as at present time, Blizzard is only rotating a single permutation into the wild every few hours. Bear in mind that can change at any time, and may go back to 318, or could literally be any other number bound only by Blizzard's computational power to produce them (without implying any such intent, WoW provides them with a lot of money, if they wanted to this could be a much bigger number than 318).
  7. Warden currently has roughly a dozen scans available to it. Each scan searches for one type of thing, typically being informed of a specific thing of that type to scan for upon request by the server. For example, one scan that was previously used is a scan that could find a window open on your computer, and that scan would be told to run and look for a window titled "My cheat program" (not really that specifically, but for an easy to understand example).
  8. Scan responses typically involve simply a YES or NO answer, for example a NO that it did not find a window titled "My cheat program". Other scan responses do involve bits of memory directly retrieved from the World of Warcraft process, usually not encrypted.
  9. Warden performs a set of scans at random every 15 seconds during World of Warcraft play, per instructions from the game server. The scans are run, and the results sent back to Blizzard.
  10. Warden is effectively useless the vast majority of the time. The process generally works by making the assumption that for some period of time after a Warden update (meaning one specific set of functionality consisting of any number of permutations, not an individual permutation), the scanning capabilities of Warden is unknown to the cheater, and furthermore that the time of the update is unknown to the cheater. During that period, any cheater unwise to the update is vulnerable. However, once it becomes known that Warden has been updated, and how to defeat it, cheaters are no longer vulnerable. Subsequently, during that period, Blizzard is the only entity that "knows" there is no concern for privacy, and customers are required to trust that.
  11. Warden updates have been tracked without Blizzard's assistance since early 2006. As such, any who cared to listen were notified of the update at the time of the update.
  12. On Tuesday, November 13, 2007, Warden was updated to include a new cryptographic (crypto for short) layer, presumably used to prevent man-in-the-middle attacks over network (something done by those who emulate the WoW network traffic in order to automate game play without running the World of Warcraft client software). The cryptographic layer works for that purpose solely because the algorithm is generated, presumably at random, per permutation, and is embedded into Warden. Warden itself is not encrypted as part of this layer.
  13. Prior to the new crypto layer's implementation, all permutations of Warden could be vetted by security researchers in one fell swoop, effectively verifying that all permutations of Warden did, in fact, contain the same functionality.
  14. Ironically, the world of cheaters are the ones tasked with making sure Warden is lawful, and notifying the rest of the World of Warcraft community when something isn't quite right. Consequently, the World of Warcraft community generally responds in favor of Blizzard, regardless of potential infringements of their rights, because they believe that Warden is becoming more effective by whatever is added to it.
  15. Before item #16 is read, I will reiterate that Blizzard has not, in my opinion and to the extent of my knowledge, broken laws with Warden's use in World of Warcraft. Nor do I believe they would knowingly and willingly do so.
  16. The new crypto layer's implementation creates a sort of vulnerability in the system, affecting users of the system, but of no concern to the creators of the system. Specifically, as this algorithm is produced at random per permutation with only the requirement that the server also be aware of the algorithm, it must be assumed that every permutation has a different implementation of the algorithm, and it doesn't make a bit of difference what the algorithm is. In the few copies I have reviewed, it is in fact a cryptographic hash algorithm, and the result is then used to re-key the encryption after sending a hashed copy of the key for verification by the server (the algorithm accepts random data from the server, and produces data that can only be predicted and verified by the server, without manually reverse engineering the permutation of Warden). The real problem is that this implementation can be exploited by Blizzard or an employee of Blizzard, at their sole discretion, with surgical precision if they so choose, to bypass any protective measures taken on behalf of the customer, and retrieve anything they may not be entitled to, even installing malware. There is essentially nothing stopping Blizzard from producing 100,000 permutations of Warden, slipping something unlawful into a single permutation, and slipping right through any network of researchers watching for just that.
  17. Typically this sort of thing is not an issue, as programs consumers purposefully come in contact with are not polymorphic, and it can be generally assumed that every copy of Windows Media Player 10, for example, is identical to the others. Security professionals can take their time in tearing it apart and letting people know if there is something to be afraid of. Warden, however, typically comes in hundreds of flavors, and the software routines are downloaded and executed in real time, and customers must not observe the behavior of those routines, as required by the game's End User License Agreement. This means that the customer is prohibited from viewing what Warden is doing, even if they have the knowledge to do so.
  18. While, again, I do not believe that Blizzard will knowingly and willingly break any laws, I do believe that the customer has the right to reverse engineer the software, if for no other reason than to verify that it does not violate privacy, install malware, and so on. Blind trust is a very good way to get taken advantage of, and you never know until it's too late.
  19. I regret that Blizzard is taking fire in a direct fashion for this, as I do not wish to make this specifically about Blizzard (although yes, I did call on Blizzard to promote transparency in their detection methodology, the issue as a whole goes well beyond Blizzard). I am not attempting to "fearmonger", nor do I see it as a positive thing that the original article was misinterpreted. I am also not raising this issue due to any implied difficulty in continuing to provide software that can hide anything from Warden (if you must know, my solution is waiting until I have solved this vulnerability for those that my software protects, and that solution will be available soon, but cannot address the greater issue).
  20. The issue that happens to affect Blizzard today, is likely to affect more corporations in the future, unless it can be legally curbed. It's a slippery slope, and although they may not be doing something wrong today in the opinions of many, Blizzard or similar corporations may continue dangerously down that slope and eventually the many may change their minds and become interested. With an End User License Agreement and Terms of Use that expressly prohibit research into their tactics, polymorphic code to help hide them, and now random functionality that makes it much more difficult to white list all of Warden (if you ask me what scans Warden has now, I can't tell you for certain), one must wonder exactly how far companies like this will go. Such tactics are usually reserved for malware to hide from anti-virus software! How much of our rights to know what information our own computers are sending out into the world do we have to give up, just to use software? What is stopping other companies from doing the same thing? Why would we trust other companies in the same situation Blizzard is in? In a world where corruption issues routinely make front page news, people need to realize that there are reasons new laws get made. We need to protect our rights as consumers, not blindly accept whatever agreement is thrown at us. Just because the EULA says something is prohibited does not mean they have the right to prohibit it.
  21. Besides, Warden effectively does little to solve the problem it intends to solve! Granted, Blizzard is able to ban some accounts from time to time, but they are showing that they do not need to have this software in order to ban accounts. Server-side detection mechanisms are more effective, as they cannot be subverted by client-side mechanisms, and cannot be discovered by reverse engineering the game client. Instead, server-side mechanisms would attempt to enforce humans playing the game, rather than bots, or attempt to enforce game mechanics where the player may modify them (e.g. by making himself move exceptionally fast). In this fashion, there is no inherent danger to anything on your PC, and quite frankly, if a cheater does not appear to be cheating to the other players, then clearly no harm is done to the game. But again, quite frankly, Warden does not greatly reduce the number of cheaters or botters, trust me they're still here, and in far greater numbers than when Warden was first implemented in World of Warcraft in July 2005. It does not reduce the real-money trade for in-game valuables, that's still here too, and likely in far greater numbers as well (though I don't have the data to back that up, I believe it is a growing industry) -- Server-side mechanisms are, however, at least somewhat effective there. If Warden is good at anything, it's simply delaying cheaters and botters by making them wait for protection, or it's good at putting money in Blizzard's (and Vivendi Games') pocket, because the majority of the accounts they ban end up coming right back and buying a brand new copy of the game, just to continue the cat and mouse game.
  22. Very nearly (if not exactly) the same level of effectiveness that Blizzard is sincerely offered by Warden can be gained without producing polymorphic code at all. Furthermore, removal of the polymorphic code would allow security researchers to ensure that customer data is safe, without blindly trusting Blizzard, to a much higher degree.
  23. I wish to reiterate that it's not my own data I'm concerned about. If this were about any implied difficulty in protecting myself from the system, I wouldn't even bother to blog about it. The problem is that I can no longer ensure the safety of other World of Warcraft players, including my own family, and I believe it is important for someone to do that. And again, not just for World of Warcraft, but for any software that seeks to use cryptic or secret methods to do their bidding.
I hope I have made it clear that I do not have an inherent mistrust of Blizzard as a whole, but while we can share the belief that Blizzard means well, Warden is not stopping people from cheating or botting, and there are precedents to be set here. We can't lay down and give up our rights, or our expectation and even verification of privacy, to companies just to use their software.

I apologize for not having links to back up various statements, such as #21, but with any amount of research, you can verify that the cheating and botting communities have not left the game, and with some 9 million subscribers, I don't think anyone will find otherwise.


Update: Just a few excerpts from F-Secure's Malware Code Glossary that show potential relationships between this type of software (Warden), and what companies like F-Secure aim to protect you from. This is not an indication that I believe Warden itself is clearly any of these things, but definitely is very close to the line if not, and again, this is not just about Blizzard and Warden, but about all current and future companies doing similar things.
  • Polymorphic Virus
A Polymorphic Virus is a virus which changes itself (mutates) as it passes through host files, making disinfection a serious challenge.
  • Rootkit
Rootkits are a technique that allows malware to hide from computer operating systems and from computer users. Rootkit techniques create stealth programs that run at a "lower" level than the user can see with normal software utilities. Malware attempts to use this method to avoid detection by security software.
  • Spyware
Spyware is software that performs actions such as creating unsolicited pop-ups, hijacks home/search pages, or redirects browsing results.

The term Spyware has been used in two ways: In its narrow sense, Spyware is a term for Tracking Software deployed without adequate notice, consent, or control for the user. In its broader sense, Spyware is used as a synonym for Spyware (narrow) and Other Potentially Unwanted Technologies.
  • Trojan
A Trojan or Trojan [Horse] is a software application with hidden destructive functionality. It is a program that appears to do one thing but actually does another.

Wednesday, November 14, 2007

A storm is brewing

Important note: A lot of people are misinterpreting this post because the details are largely technical. Please see the follow-up post "In plain English", as I believe I have covered most if not all of the points people are attempting to make after reading this article.

Coinciding with the most recent World of Warcraft patch (Tuesday, November 13, 2007), Blizzard has begun a more aggressive campaign with Warden. The changes to Warden effectively remove our ability as a community to police Blizzard's activities, and may lead to undetected violations of personal privacy, among other possibilities. I have until now publicly defended Blizzard's actions, which were already under public scrutiny, partly because of Greg Hoglund and his crusades (which I have never agreed with). I do not believe that Blizzard would ever intentionally break privacy laws (or any laws for that matter), at least in any manner that can be traced. However, as we all realize, there are gray areas, which Blizzard is no stranger to (I would consider Warden itself to be in that gray area, which does not seem to be illegal, but that many people would feel is a violation of their rights, and could potentially be deemed illegal in the future), and I do believe that Blizzard would enter those areas until legally bound to leave them (i.e. when the area is no longer gray, and consequences would follow).

I cannot condone or agree with the changes to Warden, and I fear they may be overstepping their bounds. The problem is that Warden has long been a polymorphic program, typically a concept used for viruses, spyware, and other sorts of things that an attacker may wish to hide (see the linked page from the words "polymorphic program", and take note of the described usages). In Blizzard's case, they intend to hide functionality of Warden from what they perceive as attackers, for the obvious reason of catching said attacker without him being tipped off as to how. Clearly, if said attacker knows how, he would attempt to avoid being caught. In itself, this polymorphism is not entirely destructive.

Historically, the polymorphic code produced essentially the same predictable results in the end, and Blizzard's Warden-related activity was kept in check by software like ISXWarden, and to some extent by Glider's Tripwire (at least in the ability to track how often and in what numbers a new Warden was produced, I'm unaware of any additional capabilities Tripwire may have). Unfortunately, Warden now includes a different random cryptographic hash function in every copy, apparently used for cryptographic key exchange, at least in the copies I have reviewed. However, it is nearly impossible to enforce that. The hash function could be replaced with a function that retrieves information from your computer at random (or even precisely defined information, including credit card numbers, or literally anything else) and sends it back to Blizzard, and to electronic enforcement systems, this would be nearly impossible to predict or report.

I formed my opinions of Blizzard's activities and stood on their side of the line on privacy violation arguments, solely because I have been able to automatically keep track of exactly what Warden was doing, how it was doing it, and what information was sent back to Blizzard, regardless of the number of permutations of their polymorphic software. This effectively resulted in checks and balances, much in the way government bodies separate their powers which I believe, in the end, are supposed to preserve the rights of the people in cases of corruption and such. Now, information suggests that Blizzard has begun continually producing replacement copies of Warden -- previously, roughly 318 permutations of Warden existed per patch (according to information from ISXWarden users, as can currently be viewed on the WardenNet stats page), and would be used on a rotating basis. To reiterate what I implied above, all 318 of those permutations could be vetted by software (including ISXWarden), and the behavior of each one could be verified to be identical. Therefore, anything that Blizzard would try to slip into their software was kept in check, and they would not have been able to introduce any significant privacy violations without alerting their customer base. That's actually a very good thing to have on their side.

However, this change to Warden is not a very good thing to have on their side. Given the fact that the randomly generated hash algorithm can be replaced at Blizzard's sole discretion with any other algorithm, including ones that retrieve and use personal, private and/or otherwise confidential information, with only their server to be required to know about the changes, this should be considered a very scary thing for the rest of us. Blizzard, I agree with you wanting to protect your game, I agree with most of the functionality you have placed in Warden, but you're losing a supporter who has conflicts of interest with your policies and still agreed with them, and that would have made a strong argument for your side.

Blizzard, I strongly urge you to promote transparency in your policing efforts. The public cannot be expected to trust a corporation that is hiding information from its own customers. You are governing several million people across the globe, and even though you do not like some of them, you should not attempt to hide your software or the functionality of your software on your customers' personal computers. There is absolutely no excuse for doing so, and I do believe that this is now, without a doubt in my mind, an ethical issue.

Digg it

Update:
I wish to clarify a few things, as this post has been read, mis-read, partially ignored, and so on.
There is no issue with Blizzard using a hashing algorithm, or encrypting data. There is no issue with Blizzard attempting to detect its perceived attackers. There is no issue with a key exchange in the detection software. It's not even about any implied difficulty by said attackers to sidestep the new functionality, which at face value, is not a difficult task. The issue is that the hash algorithm can be replaced with any algorithm. The issue is that the hash algorithm is different in every copy of Warden, so there's no simple method of ensuring that every copy of Warden is simply using a hash algorithm, and furthermore that it is one-way. The issue is that the detection software may be exploited, by Blizzard or an employee of Blizzard, with or without the corporation's knowledge, in order to do anything they please on your PC. A resourceful Blizzard employee could, for example, install a virus or other malware on your PC, and have a pretty high chance of that going undetected by the customer. This example may seem extreme, but bear in mind that all customers are required by Blizzard to blindly accept whatever Warden is doing on your PC. By discouraging independent analysis of their tools, Blizzard seems to have something to hide. While I will reiterate (from the first paragraph of the post) that I don't believe that Blizzard would knowingly and willingly break any law, I do strongly believe that Blizzard has a responsibility to show its millions of customers that it is taking these actions in good faith.

Finally, I believe this is an issue that affects not just Blizzard and their customers, but all present and future corporations and customers who may be attempting to hide this sort of process or information from their customers. There is a limit to what they can do, and we can't blindly expect Blizzard or any such company to follow those limitations if they are not being independently verified.

Wednesday, October 3, 2007

State of the Warden

It's been a few months now since Warden has been updated. What's Blizzard up to exactly? And how is ISXWarden holding up lately? Here's a few short answers.

First, ISXWarden. I'm still pretty confident that the issue was solved by fixing the data corruption issue. Within a week or so of that fix, the bans and suspensions essentially stopped. It's been relatively quiet since then, with no updates needed other than for the game patches (though there were some other minor changes to ISXWarden to protect against other potential scenarios during that week or so after said fix, those do not appear significant yet). Other than that, there's not much to discuss about ISXWarden since it seems to be in good health. So until there's more problems with it, that subject is covered for now.

Now to Blizzard and their current activities. From what I'm hearing and reading on various forums, the latest ban/suspension craze is Exploitation of Economy, as well as intended exploitation, and other reasons connected to the purchase or sale of accounts or virtual goods (e.g. "Involvement in online trading activities"). A few patches ago, for example, Blizzard added a 1 hour delay when sending currency via in-game mail to other accounts (the same delay that has pretty much always been there for items). It's no secret that they have used this to their advantage in their quest to hinder the World of Warcraft gold industry. I have to commend them for this non-invasive approach, and of course no client side tools can protect against their use of risk management in blocking gold sales. Various people have reported that some of their own legitimate gold transfers (between two accounts that they own, for example, or to a guildmate) have been held for review, and later released to the destination. So cheers to Blizzard on this, a moral victory for them if nothing else.

Additionally, hardcore botters are finding that Blizzard has been keeping tabs on their activities. Bans and suspensions are apparently being handed out for being online too much of the time, presumably with other requirements on top of that, like not responding when a GM sends a message or such. Again, a non-invasive approach, and you have to respect that. Even Greg Hoglund couldn't spin that one into an invasion of privacy.

Speaking of Hoglund, I read the recent Associated Press article involving him and his associate McGraw. I don't know if it was the journalist's interpretation or what, but this really got my goat:

"One problem is that these observer programs are invasive, since they must access the underlying operating system in a player's PC in order to sniff nefarious code. McGraw believes the Warden might even violate California's anti-spyware law." - link
What the hell does "access[ing] the underlying operating system" have to do with anything? World of Warcraft has to "access the underlying operating system" just to load in the first place. Is it going to become illegal for software to open other processes? Or read files from your hard drive? Where do you draw the line exactly? It's not damaging your computer, it's not sending back any information that could be used to steal your identity, so what's the deal? Is this going to mean that anti-virus software also can't report back to base about what viruses it discovered on your system?

That's literally the same process, with only a slightly different usage of the data. Anti-virus publishers aren't going to cut you off for having contracted a virus from opening a malicious email, they would just want to know what viruses are active in the wild, much like keeping track of how many of a given animal species remain on our planet. Information received by Warden, on the other hand, is specifically for enforcing account holder policies. They find a malicious "virus" (hack or cheat, in this case) on your system, and they're going to take action against your account. Keep in mind, once again, that Warden is very much like anti-virus software. It doesn't care what web sites you have open, what goat porn you have stored on your hard drive, or anything like that. It essentially has a list of viruses, and it is looking for each one. When it finds one that it is specifically looking for, it will send back an indication that it was found, nothing more.
"Sometimes, there appears to be financial incentive for the game makers to be good — but not terrific — at stopping cheating. Consider this: Cheaters who get banned from games often immediately sign back up under a different user name, paying money for a new account in hopes of trying again. If cheating protections were significantly stronger, fewer perpetrators would continue to buy accounts." - same article
This notion is nothing new of course, and people have been saying it ever since they started getting banned and buying new accounts. The point made in the article is that Blizzard has financial incentives to make sure cheating continues to occur, and periodically purging it. But here's some food for thought: Is it extortion? Is Blizzard merely slapping people with commercial interest in having accounts with a wet noodle, only to absorb the money made from the account key and subscription fees, knowing that the process is just going to repeat? Are these people essentially paying Blizzard protection money? "Hey, you haven't paid your protection recently, so I'm banning your accounts and keeping the money." Unlike information gleaned from Warden, Blizzard has financial incentives, likely lawful, to bully certain types of people and reap the benefits. One key point in Blizzard's favor is that these people don't have to keep coming back. They can leave any time, and not worry about paying another dime to Blizzard... unless of course, Blizzard then decides to sue them for some reason or another after they give up, which it would then have the financial incentive to do, since the perpetrators are no longer paying protection! Scary thought, that. I may be giving them too many ideas. Maybe these companies should be paying me protection to not give Blizzard these ideas, I'm mostly broke and Blizzard doesn't need the extra money (neither does Vivendi), what with over a billion dollars a year in revenue from World of Warcraft alone. I'm kidding about paying me guys, but you can if you want. But the point is, is this video game extortion?

This brings me to something else that could be interesting. What if, in order to reduce or remove the financial incentives, Blizzard took action that did not involve cutting off the account? Clearly, banning accounts is not going to stop the virtual market. Ban one, and it gets replaced. Those companies run through accounts like crazy. Sure, it puts some out of business, but has anything changed in the years that Warden has been in use? Absolutely not, other than prices going down. There's still hordes (pun intended) of bots, gold farmers, you name it. Probably far more now than there originally were.

All Blizzard is managing to do is keep the status quo, reducing the effects these activities have on the game's economy. The main draw may actually be that these banned accounts take items and gold out of circulation, keeping the in game prices relatively high. The gold would still exist -- much of the gold sales are not from bots or farmers, but from average players selling the extra that they have and don't have anything to do with. Hell, I did that in EverQuest. Eventually I was paying my rent by farming Wyrmslayers, Idols of the Thorned or Frostbringers (that should tip EQers off as to when this was), not exactly a major enterprise, but just enough that I was self sufficient. Is that really a problem? Is it the guy who takes some time off from real life to play video games or supplement their other income that they are after? Unfortunately, it's the average players that the current processes are harming, not the bots or farmers (keep reading).

Recent lawsuits (and Hubert Thieblot of Curse according to that article) allege that the practice of selling virtual currency for real money hurts the average player's ability to play the game, because people farming for this purpose will leave nothing in their wake for other players to fight or loot. Have you even played the game? Do you have any idea what casual players have to do to get gold? Anyone who wants to get gold, for any reason, say they want to purchase a tradeable item that would otherwise require a full raid party to get. This person is not like you, he doesn't care about hardcore endgame raiding, he enjoys playing with a small group of friends or family. How is he supposed to get gold, if it's not by finding what he deems to be the best repeatable way to get gold, and repeating it? There's no difference in having to make 1000 gold to sell in the real world, from having to make 1000 gold to buy something in the game. These people are doing the same thing. They're going to exhaust the resources that they find to be good. Your friend who is supposedly farming gold to buy that new mount? How do you know he's not selling gold on the side and using the mount as a front? Does that make him a cheater if he is? Should he be working a second job instead of playing the game at all? There's a whole lot of goodness in making money while having fun.

My father in law has no idea how he's supposed to get 5000 gold for some silly flying thing. And even then, if he got 5000 gold, what if he was told that he could, instead of spending it on a silly flying thing, he could get a few hundred dollars that he could put toward paying off his debts? If it weren't for fear of getting banned for something so menial, he could probably already have paid off his debts. Or what if he wanted to buy a nice gift for someone, but couldn't quite afford it? Is it really killing the game experience?

But here's the real point. It's the average person who just wants a few extra dollars that is taking the real hit. The companies that do this on a massive scale are still doing it on a massive scale, just maybe with a small bite out of their side. But the player who needed a few extra dollars, and had some extra gold, he's the one getting hurt. He's the one that feels the loss of his level 70 Hunter. The player who works 2 jobs and doesn't have time to grind out 20 levels to play with his friends who have no jobs and live in their parents basement, but has a few extra dollars and wants to pay someone to level him, he's the one getting hurt. The player who works too much and just wants that new item without farming for days or dealing with guild politics and raids, he's the one getting hurt.

Granted, it's not for everyone. If you think it's wrong to buy or sell gold, then, well, don't. But don't ruin it for everyone else, and quit your damn whining if someone has more money than you in real life so they want to buy something to get ahead in the game. Guess what, they do it in real life too, they buy things like jets, and they land them at NASA. Let's make having money illegal, so that rich people don't try to buy things. Clearly, it is better for them to hand-make their jet after getting all of the raw materials, and they have to know how to make each individual part, and .... wait, did you build your own car? So you have something that the kid on his bike doesn't have? You bought it with money?

Alright, I got off topic. But what I was heading toward is this. It would be interesting to see alternative forms of punishment. Instead of banning the account (and I'm strictly speaking of things like online trading, exploitation of economy, etc; not hacks or bots), what if they just made it more difficult for that account? Abilities could be less effective, or characters on the account move slower, restrict the amount of gold that it can transfer in a given period of time, and so on. Each offense could further restrict the account, reducing the likelihood that the practice will continue. After some period of good behavior, restrictions could even be lifted, essentially putting the account back into play. This could allow the casual player to partake in activities shunned by others, still at some potential cost, and the restrictions could inflict essentially the same pain on the presumed real target, the companies doing these things on a large scale. Done right, this could remove the perception that the game publisher prefers the activities continue in order to make more money. Of course, it might not be a good idea in the end and it may never be attempted, but I must repeat that it would be interesting to see. Maybe we'll find out the day I produce an MMO. :)

Wednesday, August 15, 2007

ISXWarden woes

I believe I've finally found the bug in ISXWarden causing the recent Inner Space bans.

There was a possibility of data being sent back to Blizzard that would appear to be corruption of Warden scan results, in rare (but predictable) cases. This bug would cause results consistent with the reported bans and test cases provided by users (e.g. Tenshi). I do not yet have confirmation that this was the culprit, but that should come sometime before next Tuesday, if this is it. I'm pretty sure that's the one, but until I get the confirmation, pretty sure is the best I can give.

Since at least one person asked me if they can put "face -fast" back in, I will reiterate an older point. Client-side protections are great, but they will only take you so far -- you have to go the last mile yourself by making sure your bot is as human as possible. When I was your age, we dialed up to local BBSs and played games through text -- there was no such thing as client-side detection. If scripting (or "botting" or "macroing" if you prefer) was not allowed, looking as human as possible was the only available protection. Just because client-side detection exists now, does not mean you should give up your front line of defense just because the rear is covered! So no, my recommendations on that stand. Look as human as possible. High speed high precision is not particularly human-like.

Friday, August 3, 2007

Heuristics and your one unbanned account

Preface
I don't want to give the wrong impression to people using ISXWarden, so I actually don't want to post this, after having spent an hour or two writing it. But, I mentioned it in IRC and some people want to read what I have to say. So here it is. Before reading on, be aware that client-side detections are not the main focus of the article. That does not mean that I'm not working on potential client-side detections, and this article does also not mean to imply that I believe a significant number of the most recent non-Exploitation of Economy bans are a result of server-side detections. It's about mitigating your risks, and why just because you got lucky enough that one of your accounts was not banned, does not mean that you can go about assuming this or that about what Blizzard does. Without further ado...

The Article..
I guess it's about time I try to explain something to the masses. The masses, in this case, being people wondering why some people get banned and others don't, even under very similar conditions.

I'll get the first part out of the way. This article is not particularly about Warden, but I will cover it anyway. Every 15 seconds as you play, Warden is essentially dealt a hand of several cards out of a deck of cards. It reads each card, writes something on the back, and returns the hand to the dealer. The dealer reads the back of the card, wipes it clean, and shuffles the cards back into the deck. This process is repeated ad infinitum. Notice the bold text. Because the cards are shuffled back into the deck, rather than removed, there is no absolute guarantee that in a playing session, Warden will receive each and every one of the cards. Likely, yes, but not guaranteed (if you need help with this one, talk to someone who is good with statistics and probability).

There's point number one. The point to go along with this one is that not all Warden scans are definitive. Take for example the known false positive debacles: Cedega users were banned in November(?) 2006, and WinEQ 2 users were banned in July 2007. Neither application is harmful to the game, and the bans were quickly reversed -- I'm not sure if Cedega users got added time on their WoW subscription, but WinEQ 2 users got 2 days added. I don't specifically recall anymore what scan hit Cedega, but I've got the information laying around somewhere. But, in the case of WinEQ 2, Warden has been scanning for d3dx9_30.dll. This DLL is distributed with DirectX 9 updates as of April 2006, and there are newer versions as well -- d3dx9_31.dll, and so on. Microsoft provides them to help Direct3D developers with common features. WinEQ 2 and Inner Space both use d3dx9 to display text with standard Windows fonts in 3D. So, how do they tell the difference?

Obviously, depending on the scan (but certainly the case for the Cedega and WinEQ 2 situations), they must use other factors to determine if what they are seeing is something [perceived as] harmful to the game or not. Additionally, said other factors must also be inconclusive on their own. I shouldn't even have to mention this, but the reason that the other factors must be inconclusive on their own is because if they were conclusive, you would already be banned. In other words, if Warden is detecting a memory modification that allows you to climb mountains you would otherwise be unable to climb, they have no reason to do further investigation. It doesn't matter what application made the modification, there is no reason for them to determine that. They see your mountain climbing hack, and ban straight away. But back to the point. If they don't know what it is, they just have to find additional information that provides them with a good enough indication that they will ban you.

Which brings me to the next point. Let's step away from Warden and dive into risk. If you haven't seen Along Came Polly, then for the sake of this discussion I'll sum up the relevant portion. Ben Stiller plays an insurance agent, and he uses some risk analysis software that he's able to enter all sorts of crazy things into, and it comes up with information as to whether his company wants to provide insurance to someone. I'm just going based on memory here, haven't seen it in a while and I didn't see the whole thing either, but for example his rich client goes shark diving or something, and skydiving, and such. Anyway if I remember correctly, there were seriously strange and crazy things (and I don't mean things you've actually heard of people doing, like skydiving) he would enter into the system, and his program was coming up with some sort of risk numbers based on what his client wanted to do, to determine if he wanted to insure the client or not. The point is, he enters multiple pieces of information, and the system comes up with some number that indicates the degree of risk.

Before I continue, the reason I mention the following is unrelated to client-side detection bans. The reason I mention that is I have to put up with people taking everything of this nature that I say as meaning that there is no client-side detection in the recent Inner Space-related bans. There certainly was, but that does not account for the whole of the reported bans. I did say that the more recent ones were not from Warden.

So anyway, now let's assume for a moment that Blizzard is smart enough to have some systems that do not rely on client-side detection methods. We already know to a good degree of certainty that they have various server-side "detections" involving Exploitation of Economy (EoE) bans. They also reportedly have hidden walls of sorts in areas that players cannot normally traverse, that when crossed, raise some sort of flag on the crosser. So, let us assume that they are a) not stupid, and b) implementing other sorts of server-side analysis as well. Granted, many things that they could potentially detect server-side may be too CPU-intensive to use, but that's exactly the sort of challenge programmers love. And that's where heuristics come in. Heuristic algorithms find a way to solve a problem to a reasonable degree, without having to perform too many calculations for the CPU.

If Blizzard wanted to catch bots, all they would have to do is identify a few factors that can be heuristically computed to come up with a comparison between a bot and a human. If bots consistently performed a behavior in a way that humans consistently do not, they can come up with a reasonable risk factor -- a probability that the player is a bot rather than a human. One behavior is usually not a good indication and would lead to false positives. There are of course other inputs as well, such as player reports, linkage of accounts previously reprimanded for botting, playing time and how that time is spent, and so on. Combine all of these factors, and you have now prepared a list of the characters most likely to be bot-controlled. If the aggregate risk factor is high enough for a given player, they could ban without any sort of follow-up observation. If it's not, then the list then serves as a prioritized list for GMs or other employees to run down for confirmation. If you're lucky enough, they don't catch you.

As a botter, you not only want to be sure that you are protected from Warden and other client-side detection mechanisms, but you also want to be sure that you are as low on that prioritized list as possible. The same goes for EoE ban candidates. If you're on their list, then it's simply not going to be good for you.

If you're interested in keeping your accounts, then cover your bases. Don't make the assumption that they won't catch you because you don't believe they would implement server-side detections. Whether they are right now for things that affect you or not, it is almost guaranteed that they will as they look to the future. Computers are only getting faster, storage and memory capacity is only growing, bandwidth capacity is growing, and calculations that were previously too expensive are coming within reach -- either by discovering new solutions, or simply as a result of the hardware improvements. Blizzard knows that client-side detections can only go so far, and can be worked around. They have to constantly come up with new ways to detect your software on the client side. And the right people will always be able to cover their -- and your -- tracks. Anything on the server, however, cannot be reverse engineered by those right people, and cannot (usually) be spoofed by the client.

The moral of the story is this... Don't take chances. Look as human as you possibly can when you bot. It doesn't save you from client-side detections, obviously. That's not the point.

Sunday, July 29, 2007

Privacy and you

Ahh, Greg Hoglund and the art of deception. Ever since Warden was implemented as an anti-cheat tool for World of Warcraft on July 12, 2005 (which Hoglund "discovered" in October 2005), there have been numerous reports that it is relaying information to Blizzard that would constitute invasion of privacy. It all started with Hoglund's rootkit.com post, found here: http://www.rootkit.com/blog.php?newsid=358. In all fairness, I will point out here that Hoglund did not state in his post that the private information mentioned was actually relayed to Blizzard. However, he intentionally left that possibility open.

So, let's take this at face value. Hoglund makes a "big deal" out of the use of the GetWindowText API. This API is standard in Windows and has existed since Windows 95 and Windows NT 3.1 according to its MSDN documentation. To clarify, Hoglund references GetWindowTextA, which is an ANSI encoding-specific version of this function -- there is also GetWindowTextW, which is a Unicode version of this function. There is a similar separation with many Windows API, and with recent versions of Windows, the ANSI versions actually wrap the Unicode versions. For the uninitiated, ANSI and Unicode are methods of encoding text in sequences of numbers. (i.e. terms that computers understand) Unicode is used to support internationalization, where there are far more characters (letters, numbers, etc) in various languages than ANSI encoding was designed for. Now back to the important stuff. So GetWindowText can get the title of any open window on your PC, as well as text associated with various other user interface controls. This can be used in conjunction with EnumWindows to retrieve the title of every window. Any program can do this, and it takes no special security priveleges.

If a piece of malware wanted to relay this information somewhere in attempt to steal your personal information, it would not take a genius to do so, and the program would pass right through any virus detection software. Why? Because window titles are not generally useful. Sure, said hypothetical attacker could determine that I am posting on my blog by checking my Firefox window title ("Blogger: On Warden - Create Post - Mozilla Firefox"). Sure, they could determine I am on Internet Relay Chat. But what good is that to the attacker?

The trouble of course begins when there is something to hide. Like anyone else, I would be concerned if my personal information was being transmitted. But that's just it. The key word is transmitted. The following is highly contrived and obviously unethical today, but imagine a device that could be inserted directly into your brain, and this device had the technology to scan your brain for information. If this device was not relaying any information to anyone else, there would be very little concern for your privacy. Now let's say that it relays some information, but that it only relays information about the device's health for diagnostic purposes. The question then becomes "Is it REALLY sending out a report on its own health, or is there more to it?" Now there's a good question. Now let's say it relays information about your thoughts, but only if you are thinking about doing something illegal or unethical. The question then, in addition to wondering if that's all it's REALLY looking for, is "Is it detailing my thoughts? Or is it just saying that I am having illegal or unethical thoughts?". And finally, let's say that it relays detail on every thought you are having. There is certainly no question to be asked about that, it clearly leaves you with no privacy at all.

So what is it that I'm implying? What I'm saying is that Hoglund's either not asking the questions, or is conveniently leaving those parts out. After all, with all of the excitement over his "discoveries", his site rootkit.com went from nothing, to something (see http://www.alexa.com/data/details/traffic_details?url=http%3A%2F%2Frootkit.com for site traffic details), he has mentions from the EFF, has spoken at the Black Hat security conference, and has now published a book (and of course, the book is plugged on rootkit.com, and presumably plugs the site as well). It's clearly in his economic interest to create controversy, whether there is any or not.

I'll take the liberty to answer the questions, with specific regards to Warden reading window titles, and its now 2 year history. Warden has never relayed window titles, and does not even currently read window titles at all (has not for some months now). What it did is scan all window titles, looking for specific ones based on a hash (as Hoglund correctly described). A hash is a way to turn some sequence of numbers into another sequence of numbers, resulting in a way to identify the original sequence to some degree of accuracy without actually revealing the original sequence. Typical uses include password checks (so that your password "god" becomes a large number and the original word is never revealed), data integrity checks (e.g. to make sure a download did not become corrupted), and so on. For example, if a cheating program had a window titled "My Cheat Program", they would hash that to come up with the value to compare against. Then, for each window on your system, it would hash the title and compare the hash to the value they came up with originally. If the title matches, it stops the search and notes the information for its response transmission. If no titles match, it notes this information for its response as well. The response to the window title scan was one of exactly two numbers. One means YES, the other means NO. There is the answer. While the window title scan was active, they were looking for specific "illegal thoughts" and receiving only a YES or NO response. The same is true for the process name scan -- yes, they did that too.

The entertainment value for me comes with the implication that The Governor is somehow current and shows relevant information. While it is true that The Governor once showed information relating to about half of Warden's scanning ability, it never showed exactly what was actually relayed to Blizzard, let alone the other half of Warden's scans. If the book is intended to have complete or current information on the subject, they would clearly be interested in speaking with other parties with knowledge of Warden. For example, I have been keeping tabs on Warden, and so has Mercury of MMOGlider fame, as well as maybe a dozen other individuals around the world. From the portions I have read, the book does not so much as acknowledge the existence of any other Warden expert other than Hoglund himself, if he is to be labeled as such. But it does incorrectly state that Warden is currently scanning the title bar of every window on your computer! This seems to imply to me that Hoglund has not looked at Warden since October 2005, and is simply counting the money he has made since. It seems that his intent is to defame Blizzard in response to his World of Warcraft accounts being banned, and make some cash in the meantime. I'd say he's covered the costs, maybe it's time to stop the charade.