Wednesday, November 14, 2007

A storm is brewing

Important note: A lot of people are misinterpreting this post because the details are largely technical. Please see the follow-up post "In plain English", as I believe I have covered most if not all of the points people are attempting to make after reading this article.

Coinciding with the most recent World of Warcraft patch (Tuesday, November 13, 2007), Blizzard has begun a more aggressive campaign with Warden. The changes to Warden effectively remove our ability as a community to police Blizzard's activities, and may lead to undetected violations of personal privacy, among other possibilities. I have until now publicly defended Blizzard's actions, which were already under public scrutiny, partly because of Greg Hoglund and his crusades (which I have never agreed with). I do not believe that Blizzard would ever intentionally break privacy laws (or any laws for that matter), at least in any manner that can be traced. However, as we all realize, there are gray areas, which Blizzard is no stranger to (I would consider Warden itself to be in that gray area, which does not seem to be illegal, but that many people would feel is a violation of their rights, and could potentially be deemed illegal in the future), and I do believe that Blizzard would enter those areas until legally bound to leave them (i.e. when the area is no longer gray, and consequences would follow).

I cannot condone or agree with the changes to Warden, and I fear they may be overstepping their bounds. The problem is that Warden has long been a polymorphic program, typically a concept used for viruses, spyware, and other sorts of things that an attacker may wish to hide (see the linked page from the words "polymorphic program", and take note of the described usages). In Blizzard's case, they intend to hide functionality of Warden from what they perceive as attackers, for the obvious reason of catching said attacker without him being tipped off as to how. Clearly, if said attacker knows how, he would attempt to avoid being caught. In itself, this polymorphism is not entirely destructive.

Historically, the polymorphic code produced essentially the same predictable results in the end, and Blizzard's Warden-related activity was kept in check by software like ISXWarden, and to some extent by Glider's Tripwire (at least in the ability to track how often and in what numbers a new Warden was produced, I'm unaware of any additional capabilities Tripwire may have). Unfortunately, Warden now includes a different random cryptographic hash function in every copy, apparently used for cryptographic key exchange, at least in the copies I have reviewed. However, it is nearly impossible to enforce that. The hash function could be replaced with a function that retrieves information from your computer at random (or even precisely defined information, including credit card numbers, or literally anything else) and sends it back to Blizzard, and to electronic enforcement systems, this would be nearly impossible to predict or report.

I formed my opinions of Blizzard's activities and stood on their side of the line on privacy violation arguments, solely because I have been able to automatically keep track of exactly what Warden was doing, how it was doing it, and what information was sent back to Blizzard, regardless of the number of permutations of their polymorphic software. This effectively resulted in checks and balances, much in the way government bodies separate their powers which I believe, in the end, are supposed to preserve the rights of the people in cases of corruption and such. Now, information suggests that Blizzard has begun continually producing replacement copies of Warden -- previously, roughly 318 permutations of Warden existed per patch (according to information from ISXWarden users, as can currently be viewed on the WardenNet stats page), and would be used on a rotating basis. To reiterate what I implied above, all 318 of those permutations could be vetted by software (including ISXWarden), and the behavior of each one could be verified to be identical. Therefore, anything that Blizzard would try to slip into their software was kept in check, and they would not have been able to introduce any significant privacy violations without alerting their customer base. That's actually a very good thing to have on their side.

However, this change to Warden is not a very good thing to have on their side. Given the fact that the randomly generated hash algorithm can be replaced at Blizzard's sole discretion with any other algorithm, including ones that retrieve and use personal, private and/or otherwise confidential information, with only their server to be required to know about the changes, this should be considered a very scary thing for the rest of us. Blizzard, I agree with you wanting to protect your game, I agree with most of the functionality you have placed in Warden, but you're losing a supporter who has conflicts of interest with your policies and still agreed with them, and that would have made a strong argument for your side.

Blizzard, I strongly urge you to promote transparency in your policing efforts. The public cannot be expected to trust a corporation that is hiding information from its own customers. You are governing several million people across the globe, and even though you do not like some of them, you should not attempt to hide your software or the functionality of your software on your customers' personal computers. There is absolutely no excuse for doing so, and I do believe that this is now, without a doubt in my mind, an ethical issue.

Digg it

Update:
I wish to clarify a few things, as this post has been read, mis-read, partially ignored, and so on.
There is no issue with Blizzard using a hashing algorithm, or encrypting data. There is no issue with Blizzard attempting to detect its perceived attackers. There is no issue with a key exchange in the detection software. It's not even about any implied difficulty by said attackers to sidestep the new functionality, which at face value, is not a difficult task. The issue is that the hash algorithm can be replaced with any algorithm. The issue is that the hash algorithm is different in every copy of Warden, so there's no simple method of ensuring that every copy of Warden is simply using a hash algorithm, and furthermore that it is one-way. The issue is that the detection software may be exploited, by Blizzard or an employee of Blizzard, with or without the corporation's knowledge, in order to do anything they please on your PC. A resourceful Blizzard employee could, for example, install a virus or other malware on your PC, and have a pretty high chance of that going undetected by the customer. This example may seem extreme, but bear in mind that all customers are required by Blizzard to blindly accept whatever Warden is doing on your PC. By discouraging independent analysis of their tools, Blizzard seems to have something to hide. While I will reiterate (from the first paragraph of the post) that I don't believe that Blizzard would knowingly and willingly break any law, I do strongly believe that Blizzard has a responsibility to show its millions of customers that it is taking these actions in good faith.

Finally, I believe this is an issue that affects not just Blizzard and their customers, but all present and future corporations and customers who may be attempting to hide this sort of process or information from their customers. There is a limit to what they can do, and we can't blindly expect Blizzard or any such company to follow those limitations if they are not being independently verified.

33 comments:

merlin981 said...

You hit the nail on the head, Lax

Daniel said...

He's not a crybaby idiot, he's informing us that now without checks and balances our privacy can now be infringed without you knowing it. Without lax, World of Warcraft could grab Credit Card Info, Bank account Information, SSN, and many other personal things without leaving a trace on a computer. That is quite scary if you ask me.

Amarok said...

They already have your credit card info, what does it matter?

wai said...

Okay, I just have to ask here.

Blizzard already has the following:

Your first and last name.
Your credit card number.
Your billing address.
Your e-mail address.

As a corporation, what more does Blizzard really need? And why would they risk destroying their reputation and facing lawsuits by doing something like that?

I'm sorry, but at this point I'm still seeing a lot of what happened when Warden first came to light - fearmongering and paranoia. Yes, they theoretically COULD be doing this. But let's be honest, do you really think they WOULD?

wai said...

The issue is that the detection software may be exploited, by Blizzard or an employee of Blizzard, with or without the corporation's knowledge, in order to do anything they please on your PC. A resourceful Blizzard employee could, for example, install a virus or other malware on your PC, and have a pretty high chance of that going undetected by the customer. This example may seem extreme, but bear in mind that all customers are required by Blizzard to blindly accept whatever Warden is doing on your PC. By discouraging independent analysis of their tools, Blizzard seems to have something to hide.

Independent analysis isn't a requirement of security. You claim to trust that Blizzard wouldn't knowingly break any law, but if I'm understanding what you're saying correctly, it sounds like you wouldn't even be happy with Blizzard having several of their people make sure nobody had tampered with the Warden package just before a patch goes out, or even paying another company to do it for them, because that wouldn't be an "independent analysis."

A comment above mine mentioned that there are no checks and balances; this is only true if you assume there are no internal checks and balances. Blizzard most likely has measures in place to prevent individual employees from tampering with the code without getting caught, and if they came out and told us they did when this concern was brought to them they would have no reason to lie. If they did lie, it would be because they DO have something to hide, but Blizzard as a whole has no reason to do anything like this. They already have your name, address, credit card number and e-mail; you gave all that to them. What more do they need as a company for any sort of marketing purpose (shady or otherwise), and why would they risk lawsuits and the destruction of their reputation by going out of their way to steal more information?

Dervish said...

The Storm is brewing only because mistrust people not the software itself it sounds like.

also if you keep your SSN and bank information saved on your machine /boggle if anything those should never be save on a PC if at all possible most users either dont have the know how or the desire to effectively protect that kind of information

and if your wondering how i know this i spent a couple of years doing tech work for dell through one of their sub contrators and the amount of information that i could have abused was astronomical

i can understand your fears guys really i can but the only alternative would be to not play WoW or find another game and i think you will find that a lot of games in the future will use something similar eventually.

I myself will trust Blizzard at least farther than i trust microsoft.

if something happens to shake my trust then i will do something about it

Mage said...

Actually for many customers, Blizzard doesn't have the correct information on them. I have a second account that my guild used as a guild bank so all officers would have access to it. When I set that account up, I used my mains name instead of my own, a fake address that was made up, and a game card. Blizzard had no personal information what so ever on that account about me.

With warden, they can gather far more information that one might willing to give.

Chad Moran said...

A lot of you are REALLY failing to see the issue here. The point is that this makes it even easier and now impossible for us to know what is being taken from our private information.

Just to show how easily this can happen, read this article.
http://www.vnunet.com/vnunet/news/2203373/seagate-warns-infected-drives

This happened recently and people are having their accounts stolen because of an employee that was payed to do this.

S said...

In response to the quote below. They may have your contact information. But, what about your wifes? or anyone else that uses your computer? Oh what about a computer you get on, maybe public?

Okay, I just have to ask here.

Blizzard already has the following:

Your first and last name.
Your credit card number.
Your billing address.
Your e-mail address.

As a corporation, what more does Blizzard really need? And why would they risk destroying their reputation and facing lawsuits by doing something like that?

roar said...

so how long before malware authors start targeting these systems do to their ability to hide code from AVSs

roar said...

In response to Wai, they cannot keep your credit card number. at best it can be oneway hashed, but it must be cleared from the Transaction processing system in order to comply with PCI (Payment Card Industry)standards. the CC companies will not honor changes made through non-PCI certified entities.

chrisholko said...

I have to laugh. YOU CANNOT CONDONE? Who cares? I only care about two things when it comes to WOW. Am I having fun and are those looking to cheat/exploit/etc having a hard time impacting my ability to have fun.

You have already given Blizzard all the personal information needed to cause grief yet you don a tinfoil hat and go off like "crazy for cocoa-puffs"

If you don't like it DON'T PLAY. It is THEIR game, not yours. Your attempts to spread paranoia only show your irrational and immature.

Dog said...

Does it really matter so much that a video game company can find out what porn is on your hard driver when the federal government is illegally listening to your conversations, granting telecoms amnesty for helping them do it, and rolling back the Bill of Rights one by one?

If people want to get up in arms about privacy, by all means, do so. Just keep things in perspective. Erosion of core American democratic principles fostered by our current 'leaders' (Democrats and Republicans) vs. a private company's video game.

AdamR said...

I really don't agree with your analysis. As others have already said, Blizzard already has full credit card information. An employee of Blizzard could easily exploit this. However, you would know right away because charges would show up on your card that you didn't approve.

You're disagreeing with people not being able to find out what they're going on your computer. Okay, fair enough. But as you said, you trust Blizzard as a corporation not to use this tool to harm you or your computer. Certainly, a rogue employee may be able to do something, but on that note, isn't it logical to assume that Blizzard has their own internal checks and balances system? I would assume that they have a very strict method of monitoring who and for what purposes the system is used and some sort of tracking system.

I personally welcome the change. It adds that extra level of security against people who want to break the rules of the game and make it severely not fun for other people.

- Adam

dissapointed said...

Wow some of your are pretty ignorant. Just because Blizzard already has you CC information doesn't mean that the employee's have access to this info. I work for a retail industry and we as employee's have no way of getting this info.

The point that the OP is trying to point out here is that this new piece of code gives an employee the opportunity to embed systems with rogue software that COULD retrieve any CC info or other info including your user and password to WOW and send it off to a separate location to be done with as they needed.

Being a WOW player you should know that the selling and buying of ingame gold has turned into a big business as is selling accounts.

The link provided earlier mentioned that a employee of Seagate was paid to install a virus on harddrives to do exactly that! And this being Prior to the drives even being on the market. What makes you think that an employee from Blizzard wouldn't accept money from the same people to hack into your systems with this piece of software? This tool gives them the oppertunity to do this undetected!

Here is the quote from the link mentioned.

"The Trojan was identified by Kaspersky as Virus.Win32.AutoRun.ah. The malware steals password information for several Chinese online games, including World of Warcraft, and uploads the data to a remote server."

FoolyCooly said...

in 20 years when everyone, not just when this game company, but when EVERYONE is doing the so called "scans" and "anti this" or "anti that", look back at your posts and tell yourself you're still right.

Eq said...

Thanks for sharing this info, I agree 100% with you, unfortunally it seems like 99% of the people who comment, dont understand or focus on the least of the problems, we need to take blizzard to court for this, lets start collecting money for the lawsuit!

lordík said...

Either play it or uninstall it, ffs.

Adam said...

And you agree to what they do with their EULA. And you are forced to agree to it if you want to play.

The Landlord said...

People need to understand that there does have to be a balance of trust. I like Blizzard, and I think it's a good company. but I think it's a bad thing for ANY company to install something on your machine that could (without your permission or knowledge) send personal data.

Very smart people have been able to keep an eye on Warden in the past, and tell us that Blizzard is on the up-and-up. It's not that we don;t trust Blizzard, it's just that watchdogs make everyone safer, happier and easier to trust.

Hachiko said...

You are an idiot if you save your credit card information or whatsoever that is important on your PC.

Will said...

Interesting post on game-oriented security technologies; you've been slashdotted, so expect the onslaught.

If you don't like their changes, email them with this as the sole reason for your request to close your account -- and move on.

Money talks.

Chris W. said...

I do not play WoW. I come at this from the programming perspective.

I don't understand a process whereby those concerned about security, I would suggest 'overly' concerned about security, are working to defeat a process whereby WoW is attempting to protect players from cheats.

The net result is that by 'improving' security you are actively defeating it with in the game. Without showing that there is a realistic threat from WoW as a corporation what possible motive would one have to alert cheaters to every new attempt to thwart their purposes?

As has been pointed out WoW has all of the information necessary to steal every players credit card. What possible incentive does WoW have not to do every thing in their power to insure that the warden program cannot be used for privacy invasion or other malfeasence?

Eddie said...

The bottom line is that the average wow player didn’t even know what to look for before the changes were made. And if you were smart enough to look and understand it than your more that smart enough to protect your personal info.

Nik said...

I agree totally agree with "wai." And I also appreciate Lax's concern about this potential "threat." I think Blizzard, as a company governing over 9 million users, would never try to do damage its reputation (as someone else previously said) and risk to loooose its target market. Yes, there are many wrong things with Warden but don't you think Blizzard has already taken some measures about this issue. Lax's comments are valid tho - hypothetically. This could happen. But let's wait and see what happens. If Lax's predictions turn out to be true, you cannot imagine the backlash that's going to follow from users.

Keep up the discussions. :)

Cheers.

Willow Anne said...

I think the real question is:
What gives them the right?
I ask you to come in and clean my carpets, it doesn't give you the right to shuffle through my Underwear Drawer.
The fact that you probably wouldn't take anything doesn't matter, it's the principle.
It's a GAME...not the National Security Agency (though I don't want them in my underwear drawer either!).
Terms of Service blah blah blah, they've overstepped their bounds. And they know it and you know it.
I don't think they'll do anything with it either....until Microsoft buys them out....
P.S. Yeah. They have code reviewers review every line of code everyone writes. That's why there are never any PATCHES.

Pulserazor said...

It really amazes me how ridiculously ignorant people in this country have become. It also amazes me how freely people are willing to hand over their rights just because they cant see over the edge of their nose.

So to use the idiotic thinking of many posting here in defense of Blizzard, would you think its ok for the Community Watch in your town, or Homeowners Associations to come into your house and browse through things because 'they want to make sure the community is safe'? or how about the local police randomly knocking on your door to make sure you arent doing anything 'illegal'. I mean, we all know how impervious to corruption law enforcement, politicians and business CEO's are...now dont we? After all, they're just trying to make sure your 'safe'...right?

I could care less if this program were harmless in intent...there is NO reason a comapny providing a game should be entitled to scan your personal data for any reason. Personally i think the gaming industry needs a foot up the wazzoo. They have been getting away with all forms of infringements of people rights under the guise of a EULA or TOS...and this has been going on for years.

If this is adversely affecting their game design, then perhaps they need to fix the areas that are open to exploit, instead of invading people personal privacy in order to protect their precious game. The fact that people actually list Blizzard as a corporation that is above board in their defense of why its ok, is beyond me. So i guess all the people working for Blizzard Entertainment are without question the most honorable, sincere and legitimate people on the planet eh? Yea....I know im willing to trust a bunch of people whose sole purpose is to work with programming code.

Personally, i believe that this code needs to be removed from their software, and to show you just exactly how die hard i am at having my rights infringed, they should be shut down immediately until they comply.

Michael said...

I agree with the people saying this is a total overstatement. If you gave them fake info for an account, you already screwed yourself over for support. And if you don't like THEIR privately owned and operated game, and don't trust them to manage their own people. Then don't play the game. Simple.

Joe said...

AdamR: You are totally missing the point. You don't seem to have the ability to look past the end of your nose. We should not have to trust Blizzard or Blizzard employees. We should have the right to investigate and verify for ourself.

Vanilla said...

AdamR said:

isn't it logical to assume that Blizzard has their own internal checks and balances system? I would assume that they have a very strict method of monitoring who and for what purposes the system is used and some sort of tracking system.

As someone who works in a customer service call center, I see names, addresses, credit card numbers, checking account information, drivers licence numbers, places of employment, basically anything I need to completely ID theft ANY customer of our business.

If you "assume" there are checks and balances in place, think again.

There is a background check and drug screen when you first get hired, then **there is no way** to track what employees do with sensitive information. You can track which accounts a given employee has been in, but it's entirely possible, if an employee wanted to steal CC information, all they have to do is *not* access the account, *act* like they are and ask you for your CC number. Most people do *not* write down the name of people they deal with on the phone.

And when we talk about Blizzard, there is EXPONENTIALLY more customers, and I guarantee you, there is no failsafe "checks and balances".

Depending on what they can put on your computer, if they can log keystrokes, the CC information they get (if they are smart) WON'T be the CC you signed up for Blizz with. Most people have 2 or more CC's and all they have to do is wait for you to go to Ebay, Amazon or wherever, enter in a different CC #. Then when the charges start racking up on the Other card, customer blames Ebay or Amazon for not being secure.

It has happened.


dog said:

If people want to get up in arms about privacy, by all means, do so. Just keep things in perspective. Erosion of core American democratic principles fostered by our current 'leaders' (Democrats and Republicans) vs. a private company's video game


Exactly. So since it's not government infringing on your privacy (and just a private VG company) it's ok to not have to answer to the privacy concerns of your clients? Azeroth has over 7 MILLION "citizens" and in a sense, Blizzard functions as a governing body over Azeroth.

Why SHOULDN'T they be held accountable?

I have chosen to cancel my WoW account, and no longer play.

Scott said...

Much of the commentary here seems to be either, "OMG they are haxors" or "get over it, they already have tons of info on you, BECAUSE your a customer".

The real question is should a company require this level of access to your life, for the purposes of allowing you to be a customer.

It's like daniel said. This isn't about what is likely. It's about having proper checks and balances to protect ones liberty and privacy.

This is clearly an overstepping of authority in my view, and one that is already worked around for the purpose it claims to exist for (stopping cheaters).

Back to the drawing board.....

FoolyCooly said...

People hold ones they admire (or the devs of the games they admire) in high esteem. This could be the primary reason for the ignorance we see here.

FoolyCooly said...

People hold ones they admire (or the devs of the games they admire) in high esteem. This could be the primary reason for the ignorance we see here.

Being out of touch with reality does not stand as a good excuse for unreasonable assumptions, such as the assumption about what it is or has been. -Matthew Miller