Sunday, July 29, 2007

Privacy and you

Ahh, Greg Hoglund and the art of deception. Ever since Warden was implemented as an anti-cheat tool for World of Warcraft on July 12, 2005 (which Hoglund "discovered" in October 2005), there have been numerous reports that it is relaying information to Blizzard that would constitute invasion of privacy. It all started with Hoglund's post, found here: In all fairness, I will point out here that Hoglund did not state in his post that the private information mentioned was actually relayed to Blizzard. However, he intentionally left that possibility open.

So, let's take this at face value. Hoglund makes a "big deal" out of the use of the GetWindowText API. This API is standard in Windows and has existed since Windows 95 and Windows NT 3.1 according to its MSDN documentation. To clarify, Hoglund references GetWindowTextA, which is an ANSI encoding-specific version of this function -- there is also GetWindowTextW, which is a Unicode version of this function. There is a similar separation with many Windows API, and with recent versions of Windows, the ANSI versions actually wrap the Unicode versions. For the uninitiated, ANSI and Unicode are methods of encoding text in sequences of numbers. (i.e. terms that computers understand) Unicode is used to support internationalization, where there are far more characters (letters, numbers, etc) in various languages than ANSI encoding was designed for. Now back to the important stuff. So GetWindowText can get the title of any open window on your PC, as well as text associated with various other user interface controls. This can be used in conjunction with EnumWindows to retrieve the title of every window. Any program can do this, and it takes no special security priveleges.

If a piece of malware wanted to relay this information somewhere in attempt to steal your personal information, it would not take a genius to do so, and the program would pass right through any virus detection software. Why? Because window titles are not generally useful. Sure, said hypothetical attacker could determine that I am posting on my blog by checking my Firefox window title ("Blogger: On Warden - Create Post - Mozilla Firefox"). Sure, they could determine I am on Internet Relay Chat. But what good is that to the attacker?

The trouble of course begins when there is something to hide. Like anyone else, I would be concerned if my personal information was being transmitted. But that's just it. The key word is transmitted. The following is highly contrived and obviously unethical today, but imagine a device that could be inserted directly into your brain, and this device had the technology to scan your brain for information. If this device was not relaying any information to anyone else, there would be very little concern for your privacy. Now let's say that it relays some information, but that it only relays information about the device's health for diagnostic purposes. The question then becomes "Is it REALLY sending out a report on its own health, or is there more to it?" Now there's a good question. Now let's say it relays information about your thoughts, but only if you are thinking about doing something illegal or unethical. The question then, in addition to wondering if that's all it's REALLY looking for, is "Is it detailing my thoughts? Or is it just saying that I am having illegal or unethical thoughts?". And finally, let's say that it relays detail on every thought you are having. There is certainly no question to be asked about that, it clearly leaves you with no privacy at all.

So what is it that I'm implying? What I'm saying is that Hoglund's either not asking the questions, or is conveniently leaving those parts out. After all, with all of the excitement over his "discoveries", his site went from nothing, to something (see for site traffic details), he has mentions from the EFF, has spoken at the Black Hat security conference, and has now published a book (and of course, the book is plugged on, and presumably plugs the site as well). It's clearly in his economic interest to create controversy, whether there is any or not.

I'll take the liberty to answer the questions, with specific regards to Warden reading window titles, and its now 2 year history. Warden has never relayed window titles, and does not even currently read window titles at all (has not for some months now). What it did is scan all window titles, looking for specific ones based on a hash (as Hoglund correctly described). A hash is a way to turn some sequence of numbers into another sequence of numbers, resulting in a way to identify the original sequence to some degree of accuracy without actually revealing the original sequence. Typical uses include password checks (so that your password "god" becomes a large number and the original word is never revealed), data integrity checks (e.g. to make sure a download did not become corrupted), and so on. For example, if a cheating program had a window titled "My Cheat Program", they would hash that to come up with the value to compare against. Then, for each window on your system, it would hash the title and compare the hash to the value they came up with originally. If the title matches, it stops the search and notes the information for its response transmission. If no titles match, it notes this information for its response as well. The response to the window title scan was one of exactly two numbers. One means YES, the other means NO. There is the answer. While the window title scan was active, they were looking for specific "illegal thoughts" and receiving only a YES or NO response. The same is true for the process name scan -- yes, they did that too.

The entertainment value for me comes with the implication that The Governor is somehow current and shows relevant information. While it is true that The Governor once showed information relating to about half of Warden's scanning ability, it never showed exactly what was actually relayed to Blizzard, let alone the other half of Warden's scans. If the book is intended to have complete or current information on the subject, they would clearly be interested in speaking with other parties with knowledge of Warden. For example, I have been keeping tabs on Warden, and so has Mercury of MMOGlider fame, as well as maybe a dozen other individuals around the world. From the portions I have read, the book does not so much as acknowledge the existence of any other Warden expert other than Hoglund himself, if he is to be labeled as such. But it does incorrectly state that Warden is currently scanning the title bar of every window on your computer! This seems to imply to me that Hoglund has not looked at Warden since October 2005, and is simply counting the money he has made since. It seems that his intent is to defame Blizzard in response to his World of Warcraft accounts being banned, and make some cash in the meantime. I'd say he's covered the costs, maybe it's time to stop the charade.