Sunday, July 29, 2007

Privacy and you

Ahh, Greg Hoglund and the art of deception. Ever since Warden was implemented as an anti-cheat tool for World of Warcraft on July 12, 2005 (which Hoglund "discovered" in October 2005), there have been numerous reports that it is relaying information to Blizzard that would constitute invasion of privacy. It all started with Hoglund's rootkit.com post, found here: http://www.rootkit.com/blog.php?newsid=358. In all fairness, I will point out here that Hoglund did not state in his post that the private information mentioned was actually relayed to Blizzard. However, he intentionally left that possibility open.

So, let's take this at face value. Hoglund makes a "big deal" out of the use of the GetWindowText API. This API is standard in Windows and has existed since Windows 95 and Windows NT 3.1 according to its MSDN documentation. To clarify, Hoglund references GetWindowTextA, which is an ANSI encoding-specific version of this function -- there is also GetWindowTextW, which is a Unicode version of this function. There is a similar separation with many Windows API, and with recent versions of Windows, the ANSI versions actually wrap the Unicode versions. For the uninitiated, ANSI and Unicode are methods of encoding text in sequences of numbers. (i.e. terms that computers understand) Unicode is used to support internationalization, where there are far more characters (letters, numbers, etc) in various languages than ANSI encoding was designed for. Now back to the important stuff. So GetWindowText can get the title of any open window on your PC, as well as text associated with various other user interface controls. This can be used in conjunction with EnumWindows to retrieve the title of every window. Any program can do this, and it takes no special security priveleges.

If a piece of malware wanted to relay this information somewhere in attempt to steal your personal information, it would not take a genius to do so, and the program would pass right through any virus detection software. Why? Because window titles are not generally useful. Sure, said hypothetical attacker could determine that I am posting on my blog by checking my Firefox window title ("Blogger: On Warden - Create Post - Mozilla Firefox"). Sure, they could determine I am on Internet Relay Chat. But what good is that to the attacker?

The trouble of course begins when there is something to hide. Like anyone else, I would be concerned if my personal information was being transmitted. But that's just it. The key word is transmitted. The following is highly contrived and obviously unethical today, but imagine a device that could be inserted directly into your brain, and this device had the technology to scan your brain for information. If this device was not relaying any information to anyone else, there would be very little concern for your privacy. Now let's say that it relays some information, but that it only relays information about the device's health for diagnostic purposes. The question then becomes "Is it REALLY sending out a report on its own health, or is there more to it?" Now there's a good question. Now let's say it relays information about your thoughts, but only if you are thinking about doing something illegal or unethical. The question then, in addition to wondering if that's all it's REALLY looking for, is "Is it detailing my thoughts? Or is it just saying that I am having illegal or unethical thoughts?". And finally, let's say that it relays detail on every thought you are having. There is certainly no question to be asked about that, it clearly leaves you with no privacy at all.

So what is it that I'm implying? What I'm saying is that Hoglund's either not asking the questions, or is conveniently leaving those parts out. After all, with all of the excitement over his "discoveries", his site rootkit.com went from nothing, to something (see http://www.alexa.com/data/details/traffic_details?url=http%3A%2F%2Frootkit.com for site traffic details), he has mentions from the EFF, has spoken at the Black Hat security conference, and has now published a book (and of course, the book is plugged on rootkit.com, and presumably plugs the site as well). It's clearly in his economic interest to create controversy, whether there is any or not.

I'll take the liberty to answer the questions, with specific regards to Warden reading window titles, and its now 2 year history. Warden has never relayed window titles, and does not even currently read window titles at all (has not for some months now). What it did is scan all window titles, looking for specific ones based on a hash (as Hoglund correctly described). A hash is a way to turn some sequence of numbers into another sequence of numbers, resulting in a way to identify the original sequence to some degree of accuracy without actually revealing the original sequence. Typical uses include password checks (so that your password "god" becomes a large number and the original word is never revealed), data integrity checks (e.g. to make sure a download did not become corrupted), and so on. For example, if a cheating program had a window titled "My Cheat Program", they would hash that to come up with the value to compare against. Then, for each window on your system, it would hash the title and compare the hash to the value they came up with originally. If the title matches, it stops the search and notes the information for its response transmission. If no titles match, it notes this information for its response as well. The response to the window title scan was one of exactly two numbers. One means YES, the other means NO. There is the answer. While the window title scan was active, they were looking for specific "illegal thoughts" and receiving only a YES or NO response. The same is true for the process name scan -- yes, they did that too.

The entertainment value for me comes with the implication that The Governor is somehow current and shows relevant information. While it is true that The Governor once showed information relating to about half of Warden's scanning ability, it never showed exactly what was actually relayed to Blizzard, let alone the other half of Warden's scans. If the book is intended to have complete or current information on the subject, they would clearly be interested in speaking with other parties with knowledge of Warden. For example, I have been keeping tabs on Warden, and so has Mercury of MMOGlider fame, as well as maybe a dozen other individuals around the world. From the portions I have read, the book does not so much as acknowledge the existence of any other Warden expert other than Hoglund himself, if he is to be labeled as such. But it does incorrectly state that Warden is currently scanning the title bar of every window on your computer! This seems to imply to me that Hoglund has not looked at Warden since October 2005, and is simply counting the money he has made since. It seems that his intent is to defame Blizzard in response to his World of Warcraft accounts being banned, and make some cash in the meantime. I'd say he's covered the costs, maybe it's time to stop the charade.

2 comments:

Unknown said...

So if I am having illegal "thoughts", then they are just that, thoughts. I don't need some probe like I am "potentially" guilty.

Out of all the accounts that blizzard has banned, you could easily say that most of them were 100% accurate. With you knowing a lot about warden, I'm sure you can easily agree.

What bothers me is the ones that aren't, that they still ban anyway. The party may be simply misunderstood. The problem is they are innocent and have no methods of proving they were such. They can only send an e-mail and hope they get lucky.

As an example, say I level to 20 and find that I want to skip the next 40. I enlist the services of a company to handle the leveling for me. If this service was performed in another country, they can easily see that I am here one minute, then over there the next. They got me, guilty! And they would be right.

Now lets say you are level 20, and have a child that is underage that plays on the same account you do. You take a business trip to another country, and with your trusty laptop by your side, continue to play. Meanwhile your child at home, plays the account as well when you are not.

Will you get banned? Who knows. If you do get banned, will your reason (which is valid) be just like 5000 other "excuses" they hear every day? Even if you were to visit a "powerleveling" shop, borrow one of thier PC's for a couple hours to play your account (maybe while you are having them fix your laptop) what then?

My point is that although their methods may be good, they are not 100% conclusive, 100% of the time. They hit innocent customers.

Sorry this was kind of off topic. There is not many places that have warden as a topic, but you seem to be on the side of "they scramble XYZ and see if their scramble matches scrambles of things on your PC, if so then "YES" you're guilty".

I could go on for days about how the US government inacts some law or program that "only does this", meanwhile it has the capability of doing "more" and say that it will "never be used like that". Behold, it ends up getting abused.

Blizzard is the governemnt of World of Warcraft, Warden is their police. I don't like where they are going...

Brett Allen said...

Randy, the difference here is Lax and those with extensive knowledge of computers can see what Warden is doing, and can confirm wheter they abuse their abilities.

Also with your underaged son example, that doesn't quite work.

While you are on your business trip, I assume you are not playing 24 hours a day levelling as efficiently as possible.

Your son is randomly playing as well.

It is quite obvious watching patterns what is a power levelling service and what is not.