Thursday, November 15, 2007

In plain English

The post "A storm is brewing" was technical in nature, and was not particularly intended for the audiences it actually received, and as such, a lot of readers did not understand the items at issue.

I'll attempt to make clear and concise statements to help clear things up, and point to the real issues.

  1. Warden is a piece of software that Blizzard Entertainment uses to help protect World of Warcraft (WoW) from a world of cheaters and other perceived enemies, since its inception in a patch of the game on July 12, 2005.
  2. I am regarded as one of the most knowledgeable individuals outside of Blizzard Entertainment on the topic of Warden, and have first-hand knowledge of Warden through reverse engineering nearly every minute detail of the software since its inception.
  3. Warden as a whole is composed of three basic pieces: a piece on servers run by Blizzard, a piece in the World of Warcraft client that remains there until patched with the rest of the game, and a piece sent during the WoW login process that can also be replaced any time afterward
  4. The piece sent during the WoW login process is the piece generally spoken of as simply Warden (and this is the piece I will refer to as Warden hereafter)
  5. Warden is polymorphic. What this means is that they generally create one set of functionality, and create hundreds of non-identical copies (which I will refer to as permutations) of it that produce the same end result. The reason for being polymorphic is to make Warden marginally harder to circumvent, and harder to detect when Warden has been updated with new functionality.
  6. There is typically about 318 permutations of Warden in distribution at any given time, according to our tracking information. This may be different as of the last few days, as at present time, Blizzard is only rotating a single permutation into the wild every few hours. Bear in mind that can change at any time, and may go back to 318, or could literally be any other number bound only by Blizzard's computational power to produce them (without implying any such intent, WoW provides them with a lot of money, if they wanted to this could be a much bigger number than 318).
  7. Warden currently has roughly a dozen scans available to it. Each scan searches for one type of thing, typically being informed of a specific thing of that type to scan for upon request by the server. For example, one scan that was previously used is a scan that could find a window open on your computer, and that scan would be told to run and look for a window titled "My cheat program" (not really that specifically, but for an easy to understand example).
  8. Scan responses typically involve simply a YES or NO answer, for example a NO that it did not find a window titled "My cheat program". Other scan responses do involve bits of memory directly retrieved from the World of Warcraft process, usually not encrypted.
  9. Warden performs a set of scans at random every 15 seconds during World of Warcraft play, per instructions from the game server. The scans are run, and the results sent back to Blizzard.
  10. Warden is effectively useless the vast majority of the time. The process generally works by making the assumption that for some period of time after a Warden update (meaning one specific set of functionality consisting of any number of permutations, not an individual permutation), the scanning capabilities of Warden is unknown to the cheater, and furthermore that the time of the update is unknown to the cheater. During that period, any cheater unwise to the update is vulnerable. However, once it becomes known that Warden has been updated, and how to defeat it, cheaters are no longer vulnerable. Subsequently, during that period, Blizzard is the only entity that "knows" there is no concern for privacy, and customers are required to trust that.
  11. Warden updates have been tracked without Blizzard's assistance since early 2006. As such, any who cared to listen were notified of the update at the time of the update.
  12. On Tuesday, November 13, 2007, Warden was updated to include a new cryptographic (crypto for short) layer, presumably used to prevent man-in-the-middle attacks over network (something done by those who emulate the WoW network traffic in order to automate game play without running the World of Warcraft client software). The cryptographic layer works for that purpose solely because the algorithm is generated, presumably at random, per permutation, and is embedded into Warden. Warden itself is not encrypted as part of this layer.
  13. Prior to the new crypto layer's implementation, all permutations of Warden could be vetted by security researchers in one fell swoop, effectively verifying that all permutations of Warden did, in fact, contain the same functionality.
  14. Ironically, the world of cheaters are the ones tasked with making sure Warden is lawful, and notifying the rest of the World of Warcraft community when something isn't quite right. Consequently, the World of Warcraft community generally responds in favor of Blizzard, regardless of potential infringements of their rights, because they believe that Warden is becoming more effective by whatever is added to it.
  15. Before item #16 is read, I will reiterate that Blizzard has not, in my opinion and to the extent of my knowledge, broken laws with Warden's use in World of Warcraft. Nor do I believe they would knowingly and willingly do so.
  16. The new crypto layer's implementation creates a sort of vulnerability in the system, affecting users of the system, but of no concern to the creators of the system. Specifically, as this algorithm is produced at random per permutation with only the requirement that the server also be aware of the algorithm, it must be assumed that every permutation has a different implementation of the algorithm, and it doesn't make a bit of difference what the algorithm is. In the few copies I have reviewed, it is in fact a cryptographic hash algorithm, and the result is then used to re-key the encryption after sending a hashed copy of the key for verification by the server (the algorithm accepts random data from the server, and produces data that can only be predicted and verified by the server, without manually reverse engineering the permutation of Warden). The real problem is that this implementation can be exploited by Blizzard or an employee of Blizzard, at their sole discretion, with surgical precision if they so choose, to bypass any protective measures taken on behalf of the customer, and retrieve anything they may not be entitled to, even installing malware. There is essentially nothing stopping Blizzard from producing 100,000 permutations of Warden, slipping something unlawful into a single permutation, and slipping right through any network of researchers watching for just that.
  17. Typically this sort of thing is not an issue, as programs consumers purposefully come in contact with are not polymorphic, and it can be generally assumed that every copy of Windows Media Player 10, for example, is identical to the others. Security professionals can take their time in tearing it apart and letting people know if there is something to be afraid of. Warden, however, typically comes in hundreds of flavors, and the software routines are downloaded and executed in real time, and customers must not observe the behavior of those routines, as required by the game's End User License Agreement. This means that the customer is prohibited from viewing what Warden is doing, even if they have the knowledge to do so.
  18. While, again, I do not believe that Blizzard will knowingly and willingly break any laws, I do believe that the customer has the right to reverse engineer the software, if for no other reason than to verify that it does not violate privacy, install malware, and so on. Blind trust is a very good way to get taken advantage of, and you never know until it's too late.
  19. I regret that Blizzard is taking fire in a direct fashion for this, as I do not wish to make this specifically about Blizzard (although yes, I did call on Blizzard to promote transparency in their detection methodology, the issue as a whole goes well beyond Blizzard). I am not attempting to "fearmonger", nor do I see it as a positive thing that the original article was misinterpreted. I am also not raising this issue due to any implied difficulty in continuing to provide software that can hide anything from Warden (if you must know, my solution is waiting until I have solved this vulnerability for those that my software protects, and that solution will be available soon, but cannot address the greater issue).
  20. The issue that happens to affect Blizzard today, is likely to affect more corporations in the future, unless it can be legally curbed. It's a slippery slope, and although they may not be doing something wrong today in the opinions of many, Blizzard or similar corporations may continue dangerously down that slope and eventually the many may change their minds and become interested. With an End User License Agreement and Terms of Use that expressly prohibit research into their tactics, polymorphic code to help hide them, and now random functionality that makes it much more difficult to white list all of Warden (if you ask me what scans Warden has now, I can't tell you for certain), one must wonder exactly how far companies like this will go. Such tactics are usually reserved for malware to hide from anti-virus software! How much of our rights to know what information our own computers are sending out into the world do we have to give up, just to use software? What is stopping other companies from doing the same thing? Why would we trust other companies in the same situation Blizzard is in? In a world where corruption issues routinely make front page news, people need to realize that there are reasons new laws get made. We need to protect our rights as consumers, not blindly accept whatever agreement is thrown at us. Just because the EULA says something is prohibited does not mean they have the right to prohibit it.
  21. Besides, Warden effectively does little to solve the problem it intends to solve! Granted, Blizzard is able to ban some accounts from time to time, but they are showing that they do not need to have this software in order to ban accounts. Server-side detection mechanisms are more effective, as they cannot be subverted by client-side mechanisms, and cannot be discovered by reverse engineering the game client. Instead, server-side mechanisms would attempt to enforce humans playing the game, rather than bots, or attempt to enforce game mechanics where the player may modify them (e.g. by making himself move exceptionally fast). In this fashion, there is no inherent danger to anything on your PC, and quite frankly, if a cheater does not appear to be cheating to the other players, then clearly no harm is done to the game. But again, quite frankly, Warden does not greatly reduce the number of cheaters or botters, trust me they're still here, and in far greater numbers than when Warden was first implemented in World of Warcraft in July 2005. It does not reduce the real-money trade for in-game valuables, that's still here too, and likely in far greater numbers as well (though I don't have the data to back that up, I believe it is a growing industry) -- Server-side mechanisms are, however, at least somewhat effective there. If Warden is good at anything, it's simply delaying cheaters and botters by making them wait for protection, or it's good at putting money in Blizzard's (and Vivendi Games') pocket, because the majority of the accounts they ban end up coming right back and buying a brand new copy of the game, just to continue the cat and mouse game.
  22. Very nearly (if not exactly) the same level of effectiveness that Blizzard is sincerely offered by Warden can be gained without producing polymorphic code at all. Furthermore, removal of the polymorphic code would allow security researchers to ensure that customer data is safe, without blindly trusting Blizzard, to a much higher degree.
  23. I wish to reiterate that it's not my own data I'm concerned about. If this were about any implied difficulty in protecting myself from the system, I wouldn't even bother to blog about it. The problem is that I can no longer ensure the safety of other World of Warcraft players, including my own family, and I believe it is important for someone to do that. And again, not just for World of Warcraft, but for any software that seeks to use cryptic or secret methods to do their bidding.
I hope I have made it clear that I do not have an inherent mistrust of Blizzard as a whole, but while we can share the belief that Blizzard means well, Warden is not stopping people from cheating or botting, and there are precedents to be set here. We can't lay down and give up our rights, or our expectation and even verification of privacy, to companies just to use their software.

I apologize for not having links to back up various statements, such as #21, but with any amount of research, you can verify that the cheating and botting communities have not left the game, and with some 9 million subscribers, I don't think anyone will find otherwise.

Update: Just a few excerpts from F-Secure's Malware Code Glossary that show potential relationships between this type of software (Warden), and what companies like F-Secure aim to protect you from. This is not an indication that I believe Warden itself is clearly any of these things, but definitely is very close to the line if not, and again, this is not just about Blizzard and Warden, but about all current and future companies doing similar things.
  • Polymorphic Virus
A Polymorphic Virus is a virus which changes itself (mutates) as it passes through host files, making disinfection a serious challenge.
  • Rootkit
Rootkits are a technique that allows malware to hide from computer operating systems and from computer users. Rootkit techniques create stealth programs that run at a "lower" level than the user can see with normal software utilities. Malware attempts to use this method to avoid detection by security software.
  • Spyware
Spyware is software that performs actions such as creating unsolicited pop-ups, hijacks home/search pages, or redirects browsing results.

The term Spyware has been used in two ways: In its narrow sense, Spyware is a term for Tracking Software deployed without adequate notice, consent, or control for the user. In its broader sense, Spyware is used as a synonym for Spyware (narrow) and Other Potentially Unwanted Technologies.
  • Trojan
A Trojan or Trojan [Horse] is a software application with hidden destructive functionality. It is a program that appears to do one thing but actually does another.


Peter said...

Lax, you're going on a Warden rant similar to what Greg did when Wow Sharp got whacked. The players will not care about this change any more than they care about the first moment warden was introduced.

As far as I know Warden has always had this ability since it's fetched from their servers. Which means that they are at liberty to run any code all this time. What's the new issue here?

- asp

Bill said...

Glad I don't play this stupid game anymore. People are always going to find ways around things, it's human nature. I don't need a program that can be hijacked by some random nimrod employee and place my info in danger. Client-side only games FTW!

Doug said...

You're certainly fearmongering by linking to the worst definitions of each of the important terms you use. Polymorphic programs are not inherently bad, neither are trojans or rootkits, but you've chosen to link to definitions that define those words in their worst terms.

kahlan said...

I appreciate you informing the community as a whole about this. It is certainly something to look into.

I think the only thing we can do as consumers and users of this product is to write a statement to Blizzard about our concerns (as no, I don't want to trust every single person who works at Blizzard) and/or quit paying for the service/boycott.

Am I correct that these are our only courses of action?