Saturday, December 20, 2008

Why are people still referencing Hoglund?

Okay this is relatively old news but I hadn't seen it until now. Someone in IRC linked this article on by Jon Eldridge from May 19, 2008:

So we've got this "computer security expert", and alright, I'll bite, maybe he is some sort of computer security geek... but he's definitely no reverse engineer. He goes on to explain with some degree of accuracy, 2 of the scans that Warden had before early 2007. Notice the emphasis on had. What isn't accurate is this:

It reads the text in the title bar of every window you have open including that really embarrassing Furry fan site you don't want your friends to know about. Yes Nekudotayim, Bliz knows about your pr0nz.!
I went over that in detail in the first On Warden blog post, here: Blizzard doesn't know about your Furry fan site porn. Sure, Warden went through the titles of each window, and compared the title to a hash. But all it would do with that information is send back a yes or no. There was no sending back the titles of all the windows. Eldridge seemed to imply that the titles would be hashed and sent to Blizzard in order to compare to a database. Nope. Partial credit. Even if that was what happened, that doesn't give away your Furry porn. The hash is one way, there would be no way to recover the original title in order to determine if it was, in fact, Furry porn (Eldridge is apparently also not in the cryptography school of computer security expertise). Blizzard sent a hash to compare window title hashes to, not the other way around.

But that's not the worst misinformation of the article. This is:
The second act of the Warden Power Tour is to sniff out and hash every single process running on your computer and compare them to the list of banning hashes. So while you are playing WoW, Blizzard takes complete stock of every program, every window, every website and every process on your machine and compares it to a list you will never see... every 15 seconds. Contrary to many fanboy and armchair security expert flames Blizzard does indeed know about your surfing habits while you are playing WoW and a whole lot more. The issue is not what they know but what they choose to audit and act upon via their secret list.
Speaking of armchair security expert flames, Mr. Eldridge... Blizzard does not know about your surfing habits "and a whole lot more." Even if they were hashing all of the processes and sending them back, once again they could not recover the original executable name (oh, did I say executable name? yeah, you forgot to). They could only compare it to a list of known hashes, so they would have to take a huge number of guesses before coming up with the right one in order to determine what obscure programs you are running. But this doesn't even translate to "every web site", even if they were grabbing every window title and every process executable name. I don't know about you, but I use a browser that supports tabs. Only the focused tab changes the title of the top level window. But, once again, the process list scan hasn't been used since early 2007, and they sent the hashes to your PC to check, not sending a list of hashes to their servers.

Then Mr. Eldridge goes on to recommend Governor for anyone who'd like to "watch the Warden sniff around". If only that's what Governor actually did. (and again, I've gone over this before) Even when it was created, Governor only intercepted API calls from roughly half of Warden's scans. But it never showed what would actually get transmitted back to Blizzard. Governor hooks a small set of windows API functions such as GetWindowTextA and CharUpperBuffA. GetWindowTextA is used to get the title of a window, and CharUpperBuffA converts some text to upper case, for use in generating a hash. CharUpperBuffA was used for both the window title, and process executable names. But using these API doesn't mean that's what Blizzard is seeing, just what's happening on your PC. It's really quite mundane, and in fact, what Governor would see now is even more limited.

What's interesting is that people are still going back to something posted in 2005 by a guy who gave up on protecting WoW!Sharp because he didn't have the expertise to handle Warden (that'd be Hoglund), but there are people such as myself who actually know what they're talking about when it comes to Warden and I don't get so much as a question from people like Jon Eldridge. Instead, Eldridge has placed himself squarely in the FUD. Maybe he bought Hoglund's book!

No comments: