Blizzard Entertainment Uses Spyware to Verify EULA Compliance

Scary:

I recently performed a rather long reversing session on a piece of software written by Blizzard Entertainment, yes -- the ones who made Warcraft, and World of Warcraft (which has 4.5 million+ players now, apparently). This software is known as the 'warden client' -- its written like shellcode in that it's position independent. It is downloaded on the fly from Blizzard's servers, and it runs about every 15 seconds. It is one of the most interesting pieces of spyware to date, because it is designed only to verify compliance with a EULA/TOS. Here is what it does, about every 15 seconds, to about 4.5 million people (500,000 of which are logged on at any given time):

The warden dumps all the DLL's using a ToolHelp API call. It reads information from every DLL loaded in the 'world of warcraft' executable process space. No big deal.

The warden then uses the GetWindowTextA function to read the window text in the titlebar of every window. These are windows that are not in the WoW process, but any program running on your computer. Now a Big Deal.

I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time.

Once these strings are obtained, they are passed through a hashing function and compared against a list of 'banning hashes' -- if you match something in their list, I suspect you will get banned. ...

Next, warden opens every process running on your computer. ... I watched warden open my email program, and even my PGP key manager. Again, I feel this is a fairly severe violation of privacy, but what can you do? It would be very easy to devise a test where the warden clearly reads confidential or personal information without regard.

This behavior places the warden client squarely in the category of spyware. What is interesting about this is that it might be the first use of spyware to verify compliance with a EULA. I cannot imagine that such practices will be legal in the future, but right now in terms of law, this is the wild wild west. You can't blame Blizz for trying, as well as any other company, but this practice will have to stop if we have any hope of privacy. Agree w/ botting or game cheaters or not, this is a much larger issue called 'privacy' and Blizz has no right to be opening my excel or PGP programs, for whatever reason.

EDITED TO ADD: Blizzard responds. See also here. Several commenters say that this is no big deal. I think that a program that does all of this without the knowledge or consent of the user is a big deal. This is a program designed to spy on the user and report back to Blizzard. It's pretty benign, but the next company who does this may be less so. It definitely counts as spyware.

EDITED TO ADD: This is a great post by EFF on the topic.

EDITED TO ADD: BBC has an article on the topic.

Posted on October 13, 2005 at 2:11 PM

Comments

robOctober 13, 2005 2:48 PM

I wonder what would happen for a windows emulator like transgaming's cedega or wine on Linux. I would assume the script would fail. Would that result in banning, even if following the EULA?

I also find it funny that legally Blizzard is allowed to transfer potentially malicious programs like this to an end-users machine and execute them without express conscent [outside a vague, wordy EULA that no one ever really reads] and yet as a consumer doing the same to them results in several years in jail and hefty fines.

Doesn't seem fair does it?

JesseOctober 13, 2005 2:57 PM

As a follow up, more information about the author, and responses about his "article":

http://forums.worldofwarcraft.com/thread.aspx?...
Quote:
I just wanted to let you guys know that the Author of "Wow is Spyware" over at rootkit.com that EVERYONE has been linking recently, is a development team member on a certain program that is SPECIFICALLY designed to hack/cheat in World of Warcraft.

Another link:
http://www.wowsharp.net/forums/viewtopic.php?...

There is no "violation of privacy" going on, the tool is random, and the guy who wrote the article you linked too has an axe to grind, given that he USED to make hack-bots/clients for the game itself.

Jeremy BowersOctober 13, 2005 3:06 PM

Where's the part where privacy-sensitive data is sent somewhere?

If this is "spyware", this loosens the definition of "spyware" to utter uselessness.

ChristianOctober 13, 2005 3:14 PM

My virus scanner does all the same things that the warden client allegedly does. Does this make it spyware?

HasemanOctober 13, 2005 3:21 PM

Axe to grind or no, Blizzard isn't doing any refuting of his accusations.
Having bad intentions doesn't make his information any less valid.
I feel a little unclean knowing that Blizzard has been scanning my computer since I installed WoW. (If indeed that's what they're doing...and they seem to admit as much in their discussion of the topic)
Frankly, their attitude of "Just Trust Us, we aren't keeping any information" just doesn't cut it.

-Chris

S.October 13, 2005 3:22 PM

@Jesse,

I'm not a security expert (far from that actually) but when in the thread you mention the person says :

"First off, please note that our reluctance to discuss this issue is because in order to stay one step ahead of hackers, we have to be extremely careful in regard to what information we reveal about our security measures."

Doesn't he understimate what a good hacker can or cannot do?

This sounds a fallacious argument to me.

cottonmouthOctober 13, 2005 3:27 PM

[quote]Again, I feel this is a fairly severe violation of privacy, but what can you do? [/quote]

Uninstall the darned game.

steveOctober 13, 2005 3:31 PM

Assuming no private data is sent to Blizard servers, and that the author of the "WoW is spyware" is a hack-bot author with multiple axes to grind, this still gives no right to Blizzard to "snoop over one's shoulder" scanning their private data, unless the user explicitly agreed to such activities (is a EULA explicit agreement? Perhaps, perhaps not).

The point is that the "WoW is spyware" author's motives/intents are irrelevant to the discussion, as is Blizzards "we don't send the private data to ourselves" defense.

JOctober 13, 2005 3:45 PM

@Jeremy:

Imagine I walk into your house without your knowing. I don't take anything with me, just have a look around. And remember some things. It's not stealing, right?

So, this *is* spyware. Even if no unhashed data is sent (yet). Furthermore, given the high (*cough*) standard of programming of WoW, I do not bet against this changing soon, and not by Blizzard's doing.

BarryOctober 13, 2005 3:49 PM

The Terms of Use that all World of Warcraft users agree to specifically informs the user and gets his consent to run these checks. In addition, the quoted post notes that the various places scoured for cheat strings are *hashed* and checked against other *hashes*, and then info on *whether or not a hash is matched* is sent back to Blizzard. What *doesn't* happen is the sending of any personal information back to Blizzard. They don't receive any text strings, and they don't get to find out what porn sites you have open in your backgrounded web browser.

In other words, this isn't spyware. But the authors of hack software, which ruins the game for the vast majority of the userbase who don't cheat, want to get public opinion on their side so that the Warden software is removed. Getting that to happen is key to being able to continue cheating without putting their game accounts at risk - several of the cheat developers have already been banned from the game when Warden caught them, so apparently, the software works.

RichOctober 13, 2005 3:51 PM

Blizzard says:
"Legally speaking, the scans are not a violation of rights."

With all due respect, that's not up to the accused to decide.

acOctober 13, 2005 3:54 PM

Bruce,

How would you feel about it if the program was written differently and achieved the same thing?

i.e. instead of sending hashed data back to a server to compare with known bad hashes, what if the server sent the known bad hashes to the client and the client did the comparison locally? (I'm not even sure if that's NOT how it currently works)

The only thing sent back to the server would be Pass/Fail. I wouldn't have a big problem with that sort of setup, except hash collisions and false positives, of course.

Sending hashes back to the server does, on the surface, seem like data that cannot be reconstructed into useful data, but that's not entirely true. You could take known hash values and sell marketshare measurement values to third parties, etc (I'm not suggesting that Blizzard does this, but I'm saying they COULD do it if they had the data). It's just best to keep the data on your machine.

peachpuffOctober 13, 2005 3:55 PM

Is it just me, or does Blizzard's response not contradict anything that was actually said? This person may have an axe to grind, but they never suggested that Blizzard was compiling personal information. In fact, they said explicitly that it was hashed (on the client side, since they discovered this through a "rather long reversing session") and compared to a hash blacklist. They were also pretty clear about Blizzard's motive.

Blizzard is trying to claim that this isn't an invasion of privacy because no humans look at the information and it never leaves the user's desktop. I think that's false--it's enough that the information is accessed and acted upon.

This is why I hate PR firms. Someone caught you doing something outrageous? Use their own outrage to pretend they accused you of something even worse. Then "debunk" them.

BarryOctober 13, 2005 3:59 PM

Note, by the way, that the "response" Schneier quotes is at least a month and a half older than the message board post he quotes.

Jeremy BowersOctober 13, 2005 4:09 PM

J, I resist metaphors on this topic (and related topics), in particular, because computer programs are not human. They can not meaningfully "look" or "remember".

If any of this information was sent to a human or human company, it would be spyware. But a definition of spyware that includes the operating system itself (as the operating system isn't just "looking" and "remembering", it's also "managing" and "enabling", among other things), as yours does, is useless.

Alan De SmetOctober 13, 2005 4:12 PM

This is a stunning example one of the problems with EULAs. The reality is that few people read them. In the case of online games it's worse: most require you to re-agree every single time you log in. For a mainstream player that will be multiple times per week. They can update the terms whenever they want without notifying you (other than displaying the new terms when you log in). So when you log in every time you're expected to re-read the pages of legalese and decide if you agree today. In practice it's not reasonable. So the vast majority of people just mash I AGREE without actually looking. Even in the best case, someone who took the EULA seriously is likely to only skim it with a "well, it looks the same to me." Online game publishers have to know that their customers do this. I'm not sure it's deceptive enough to invalidate the agreement, but it's sleazy and verges on deception.

I can't speak to the specific case of World of Warcraft, but I do know that some online games have changed their policies on issues like scanning the machine for hacks.

As for the author of the article being a hack-author as well, so what? While it's useful to know that he may have personal involvement, ultimately his statements are either true or false. You can debate his conclusions, but not the facts. The specifics of how WoW does the scan would be useful information to someone concerned about what WoW's scanning means in practice. Absent such work, your average user only has the option to trust Blizzard or not to trust Blizzard. Blind trust is stupid and leads to things like companies hiding security breaches. Indeed, knowing that their implementation might be publically described gives Blizzard strong incentive to be very careful, leading to things like using hashes instead of just sending back raw program names.

In this particular case, I think Blizzard is in the right (unlike the bnetd case). Given the author's description, the implementaion seems to strike a reasonable balance. It's likely to catch hack software, it's unlikely to catch innocent software, it's unlikely to leak any information beyond, "I am or am not using hack software". Blizzard has incentive to minimize hacking as do most of their customers.

Minty FreshOctober 13, 2005 4:18 PM

"Imagine I walk into your house without your knowing. I don't take anything with me, just have a look around. And remember some things. It's not stealing, right?"

That's a bad metaphor. You've installed the game, effectively inviting Blizzard into your "house." They are taking a look around to see if you resemble one of the unsavory characters they don't want to be associated with.

As far as I'm aware the results of the scans are neither sent to Blizzard nor stored on your PC. I'm no fan of Warden (yeah, I cheat at WoW), but I wouldn't go so far as to call it spyware.

Davi OttenheimerOctober 13, 2005 4:51 PM

@ Minty Fresh

Actually, it might be a good metaphor. Consider what happens when you invite an electrician into your house to check your wiring. Should the electrician be allowed, let alone obligated, to report that you have a black-box video device installed to cheat the system? What about felony activity? Is the electrician obligated by law to report something discovered that can prevent "immediate harm" to others. In that sense, by collecting more information than necessary to meet their states intentions, does Blizzard have to comply with subpoenas that reveal the activities/apps of WoW subscriber?

Fred F.October 13, 2005 4:56 PM

This looks like nothing more than DRM. Just a hokey kind. They are just making sure you don't overstep the bounds of the license.

It is about time we were able to run this kind of things inside their own safe sandbox. Have a well surveyed, checked and audited hypervisor that lets you run an OS from a hard drive image and keep everything compartamentalized. That way you can have the Gaming image, the Finance Image and the Work image. Microsoft can charge an extra $100 bucks per image and everyone is happy.

2S2DOctober 13, 2005 5:11 PM

"I think that a program that does all of this without the knowledge or consent of the user is a big deal. This is a program designed to spy on the user and report back to Blizzard."

It may be done without knowledge of the user, but it's certainly done with full legal consent. Lack of knowledge is 100% the fault of the user in this case. The EULA is re-displayed every time there is a change or the software is updated, you don't swim through it every single time you log on like with some other online games, and you don't have it stealthily changed without notification. Even the date is displayed prominently at the top of the document. I skip it myself, but I also don't complain when I find out something I didn't know was in the document.

As for computer privacy, there is no legal precedent for protecting your privacy other than restricting generic "access" to a machine. If you allow someone into the computer you *allow them into the computer.* They can be held accountable for violating any contracts you may have with them, like a click-wrap EULA, or they can be sued in civil court if they cause you financial damages by destroying valuable data, but since Blizzard does neither of these things what they are doing is perfectly legal. Argue ethics til you're blue in the face, but by the current definition it can't be called spyware, and they can't be sued or prosecuted for it.

As far as scanning currently open processes, every single program you run that only allows one copy to run at a time performs a similar scan, only instead of checking against a known list of other applications and flagging the account if something is found, it checks against itself and terminates if something is found. I don't see how one is worse than the other. A flagged account doesn't mean an automatic ban either, they will observe the character in play and review server logs to determine which hack is being used before coming to a decision. No personal information is involved.

Mark GritterOctober 13, 2005 5:19 PM

Fred F: That is exactly what I do with poker clients. Some of them are rumored to take screenshots as a 'security' (anti-bot) measure, or gather information about running programs. So, on my computer, they all get run in a VMware image where they can't access anything that's not their damn business.


Davi OttenheimerOctober 13, 2005 5:33 PM

@2S2D

"Lack of knowledge is 100% the fault of the user in this case."

You mention that a EULA is displayed repeatedly, but not whether it can be upheld as reasonable in a court. For example the courts will uphold prior laws and inalienable rights above the language of a particular contract that may be found to be excessively vague, misleading or overreaching. That is to say if you do not read a contract (even if you sign/consent) your risk has certainly increased, but you do not lose all your rights, which may include the right to privacy. I think that's a bit more reasonable than the 100% fault you place on a victim of spyware.

"there is no legal precedent for protecting your privacy"

Eh? Several US states have the right to privacy mentioned in their constitution, as well as other countries and human rights organizations. Privacy is also most certainly discussed in many Supreme Court cases.

"No personal information is involved."

Do you mean no personal "identity" information is captured, or that nothing relevant to a person (e.g. which programs are installed, what/when programs are running) is involved?

VISGOTHOctober 13, 2005 5:41 PM

The EULA specifies you agree to the Terms of Service.

The TOS has the following paragraph in it. Note that while most of the TOS is in standard caps/lowercase, this paragraph is all caps:

A. WHEN RUNNING, THE WORLD OF WARCRAFT CLIENT MAY MONITOR YOUR COMPUTER'S RANDOM ACCESS MEMORY (RAM) AND/OR CPU PROCESSES FOR UNAUTHORIZED THIRD PARTY PROGRAMS RUNNING CONCURRENTLY WITH WORLD OF WARCRAFT. AN "UNAUTHORIZED THIRD PARTY PROGRAM" AS USED HEREIN SHALL BE DEFINED AS ANY THIRD PARTY SOFTWARE, INCLUDING WITHOUT LIMITATION ANY "ADDON" OR "MOD," THAT IN BLIZZARD ENTERTAINMENT'S SOLE DETERMINATION: (i) ENABLES OR FACILITATES CHEATING OF ANY TYPE; (ii) ALLOWS USERS TO MODIFY OR HACK THE WORLD OF WARCRAFT INTERFACE, ENVIRONMENT, AND/OR EXPERIENCE IN ANY WAY NOT EXPRESSLY AUTHORIZED BY BLIZZARD ENTERTAINMENT; OR (iii) INTERCEPTS, "MINES," OR OTHERWISE COLLECTS INFORMATION FROM OR THROUGH WORLD OF WARCRAFT. IN THE EVENT THAT WORLD OF WARCRAFT DETECTS AN UNAUTHORIZED THIRD PARTY PROGRAM, BLIZZARD MAY (a) COMMUNICATE INFORMATION BACK TO BLIZZARD ENTERTAINMENT, INCLUDING WITHOUT LIMITATION YOUR ACCOUNT NAME, DETAILS ABOUT THE UNAUTHORIZED THIRD PARTY PROGRAM DETECTED, AND THE TIME AND DATE THE UNAUTHORIZED THIRD PARTY PROGRAM WAS DETECTED; AND/OR (b) EXERCISE ANY OR ALL OF ITS RIGHTS UNDER SECTION 6 OF THIS AGREEMENT, WITH OR WITHOUT PRIOR NOTICE TO THE USER.

Those saying that it was done without the knowledge or consent of the user should be pointing the finger at the USERS, not Blizzard. Don't agree to contracts you haven't read.

Terence TanOctober 13, 2005 5:51 PM

1) Blizzard already has your credit card number. It's how they bill you every month. They also have a lot of other personal information, for the same reason.

2) Whether the reporter is a hacker, rootkit author, has an axe to grind, etc. is a separate issue to the claims of Blizzard planting spyware in their game, and does not diminish his claims (in fact, I think it lends them credibility). Blizzard also hasn't refuted his claims.

3) Even though Blizzard doesn't discuss security countermeasures, they've been reverse-engineered by "hackers" anyway. Expect new hacks to include a random number in their window title bars, for instance... This indicates to me that Blizzard's "security through obscurity" doesn't work.

4) Just because something is in an EULA doesn't make it legally or ethically correct.

Dido SevillaOctober 13, 2005 6:55 PM

Another issue that this thing has gotten me thinking about is while the program itself is relatively benign, I wonder what would happen if some malicious third party insinuated itself between the WoW server and a client. Instead of downloading the legitimate Warden Client, they'd download something much more nasty that does some ugly things to the poor client's computer. I hope, for the sake of all those who have to submit to this, that they're using SSL, and that the server they download it from is as secure as can be.

Toby HedeOctober 13, 2005 7:25 PM

The problem with these types of EULA is that after I have spent my $100 on a game I either agree to the terms or throw the game and the $100 away. Here in Australia, games cannot be returned to the store. It's all very well to say 'read the terms' but it's not like a normal contract negotiation, I can't negotitate away some terms or add terms of my own.

Ari HeikkinenOctober 13, 2005 7:57 PM

Many here seem to mention EULAs. EULAs are a joke. They're not contracts. You haven't negotiated them and you haven't agreed to anything they read. They're like stupid stickers slapped on top of products you buy that have some silly demands starting with "before you break this seal you agree to [insert something idiotic here]". How can any lawmaker be so idiot to actually grant some legal meaning to these? It's simply stupidity they even exist.

VISGOTHOctober 13, 2005 8:09 PM

Reply to Toby Hede:
Blizzard makes their EULA and TOS available on their website. Since you presumably have Internet access if you are purchasing WoW, you could check out the EULA ahead of time if you were really concerned.

And just to be clear in regards to my earlier comment where I quoted part of the TOS: I'm not taking a position on the enforcability of EULA's, the ethics of Blizzard scanning your RAM contents, or anything else. I'm only stating that if the user can not claim that Blizzard never told them. Blizzard told them, they just didn't bother to read what they were being told.

RogerOctober 13, 2005 8:18 PM

One thing that isn't quite clear to me is whether or not the hash blacklist is part of the program, or is maintained on the WoW servers (with the warden sending its hashes back across the network). The first case is ethically borderline, but technically very unsatisfactory and relatively trivial to defeat.

The second case is technically superior (harder to hack out, ban list can be very large and updated in real time), but ethically and legally totally outrageous, possibly criminal, and NOT covered by the EULA (even if EULAs were worth anything). In that case, it does not matter that the data is hashed (hashes of low entropy data are NOT irreversible), nor does it matter if WoW does nothing malicious with the data, as anyone else could be listening too.

@Fred F. & Mark Gritter:
That's a good idea (although I wouldn't trust Microsoft to implement it!). At present I go one stage further, I actually have separate machines. I have one dual boot machine (cheap, old and slow, but biggish disk and lots of RAM) for development; another (cheap, old and slow) for email, "serious" browsing and OpenOffice; and a third box, a Windoze one, newer, faster and with a fairly good video card, for games and casual browsing.

FuzzyOctober 13, 2005 8:29 PM

@rob:
Running the WoW Warden would not fail on Cedega/Wine. It would work the same way as it down on Microsoft Windows except the Linux/Unix tasks would not be visible.

@2S2D:
Trying to scan a process list for find other copies is not common. Using a lockfile or opening a network socket or using another unique resource are much more common ways to prevent multiple copies of a single program from running and are non-invasive.

@Barry:
You do not have to send back personal information to be effective "spyware" in the real sense. Using a hash to hide the "keyword" does not protect the privacy of an individual, it (tries to) protect the secrecy of the corporation spying on the individual.
If MilitaryIndustrialSpy wants to find all people with strings that match "cocaine" or "homosexual" or "botulism" and report back the matching hash to CentralSpyAgency or BlackMailersAnonymous, the individual has no way to know why a hash or what hash value was passed back.

Trust us, we're with the {government|corporation} and we're here to help {prevent terrorism|prevent cheating} just doesn't fly.

Ari HeikkinenOctober 13, 2005 8:38 PM

Here's another point: just as you go to a shop and pick a music CD you expect to play it anywhere you like and whenever you like, the same goes for a game you pick from a local shop. You expect to install and play the game, nothing more, nothing less. What you don't expect is for it to spy on your computer for programs you run. I'm amazed some people accept this. I'm even more amazed some others think it's ok to do it if there's a hidden notice on some website saying so.

Davi OttenheimerOctober 13, 2005 10:36 PM

@ Ari

Yes, that's a pro-consumer perspective, but in the latest software company model revenues are expected to boom short-term if a company can track and trace customers to analyse their behavior and then force-expire licenses (i.e. the "subscription" model) while blasting them with targeted marketing. Some say it's just smart business, but there's a point at which it becomes social engineering and consumers are out of their league -- unable to make truly informed decisions.

packratOctober 14, 2005 12:38 AM

Cute. So, any guesses on how long until we see countermeasures? I haven't done any low level Windows system programming, so I don't know how difficult it would be to write a wrapper for the WoW process that intercepts the calls, but I'm pretty sure it's at least possible. Perhaps something similar to the way applications are made "portable" for use on removable drives?

Christian KaiserOctober 14, 2005 3:10 AM

@packrat:

yes, it can be circumvented by injecting a DLL in each process, which watches call into the Toolhelp library, and returning just the "irrelevant" processes. Hiding this DLL from detection is a much harder task though, if not impossible.

Blizzard could counter with checking the API address and first bytes of code of the toolhelp APIs.

...and so on.

Unfortunately, the energy used from both sides could be spent so much more worthy elsewhere...

Christian

KesxexOctober 14, 2005 4:16 AM

Another online gaming company (Mythic) is showing TOS and EULA every time and allows them to be skipped conveniently once read (or scrolled down at least).
But when changes are in the engine reverts to show the new TOS and EULA from start again.

There are ways to bring changes to the attention of the gamer. That the gamer is not capable to read (in a text based chat game) is his/her own fault.

The situation is similar to driving a car. The car could be surveyed by government anytime anywhere - having the car (or even driving it) is consent enough to allow this operation. And this is sometimes done by private operations.

Ian EiloartOctober 14, 2005 4:59 AM

Think about some of the questions that could be answered from the information that WOW collect. Let's assume that the hashes *are* being sent back to the server, and we assume that they're being stored.

Now, the hashes could be used to answer questions like: has "x" done "y", where:

"x" could be an individual WOW user - say a person under investigation who have ever used WOW. Or, "x" could be a set of WOW users - say all those in a particular jurisdiction, or all of them.

And "y" could be "run a particular file sharing program" or "emailed a particular address" or "read an email from a particular address" or "read a particular web page".

How easy would it be for you to end up on a security service watchlist if this were done? Compare the PATRIOT ACT and libraries, for example: http://snipurl.com/xn9

AnonymousOctober 14, 2005 6:57 AM

No info that can be linked to someone ?
How do they know which account to suspend then ?
I assume that, if they know which account, then this is linked to a name, or credit card, or.....
That sounds like personally identifiable info to me, unless they're using egold or something similar, which sounds very unlikely to me.

KnaveOctober 14, 2005 7:40 AM

Well, yes, it's spyware. It's a shame that they feel they NEED to do this. But, given some experience of online games being broken by people cheating, I believe that they do need to do SOMETHING.

This non-disclosure policy of theirs might have caught a few early cracks and discouraged a few more attempts. But, now they've been caught and will doubtless pay for it in the resulting outcry - assuming anyone cares enough to vote with their wallets.

But really, you either have something like this and have a game, or don't and have a farce.

Hopefully having caught them at it will lead to them coming up with less intrusive ways of detecting cheating, and lead to game manufacturers learning to clearly state the consequences of play.

Liberty and Eternal Vigilence and stuff.

Red_BlueOctober 14, 2005 8:46 AM

This is actually very common practise in the online gaming industry and in addition to game developers themselves employing these spyware scanning techniques, there are entire companies which specialise in "anti-cheat" development (Even Balance of Texas for example).

Security through obscurity approach and refusal do discuss the scanning details, instead pointing to obscure, vague and potentially unenforceable EULA terms is a common theme. It's important to the counteranticheat authors to detect the spyware code and especially any changes between versions, so that their countermeasures to defeat this spying is effective.

The latest anticheat spyware across the board uses similar coding techniques as malware in general, polymorphic code and several layers of encryption, all in attempt to hide from the spyware detectors (obviously the hacks exploiting the game engine do the same to in turn hide from the spyware, but the game hacks and the anticheat hacks are usually entirely separate for performance and other reasons).

Many try to make the point that this spyware is not intentionally attempting to steal information unrelated to the game, but even if that's true, it still leaves the highly advanced, IDS and virus scanner evading spyware code with its delivery infrastructure open to both exploits by other malware authors (once the code authentication is circumvented, which is being actively researched by the antispyware and gamehack coders) and also due to accidental bugs. It's nefarious just to have a spyware system for "legitimate" use, because it will eventually lend itself to abuse. This is the same argument that goes against DRM, even if it's there to "protect copyright", it can and will be used for censorship and hijacking of legitimate resources.

Personally I detest any violation of privacy and property rights of a computer user, even if it's done to enforce some "game rules". I'd be willing to accept a client anticheat system only if it was open source or otherwise the technical details with respect to what it actually scans for and how was available to the user, from the game developer. It should also immediately inform the user when it raises a violation, so that the user would be able to contest false positives and otherwise to take action to remove the offending code from execution. The most insideous feature of the current anticheat codebase and employment practise is that the violations are reported in secret to the administrators (secret as in spied without informing the user when it actually happens, as opposed to about the mere possibility in some EULA) and any punishment (extra monitoring, banning the user account or even banning the whole machine with hardware fingerprints) is dealt afterwards, maybe weeks after the alledged violation. The user is not told when he alledged violations was "recorded", how, what "hack" was alledgedly detected etc. And there is no appeal and no acceptance of fallibility by the game company (our spyware is perfect, it makes no mistakes and we will not discuss why it banned you). This level of disparity between the rights of the paying customer and the game developer would be very troublesome even if no spyware was involved (like when the admin process was entirely manual and based on human observation by logging in the game servers).

I think the only ethical anticheat system is one, which runs code only in the game server and stays entirely out of the user's hardware. This would also allow OSS clients and free modding rights with the clients. The reason why game companies are unwilling to even consider this is that running any hack detection (even statistical and/or based on heuristics about "valid" input to the game server) requires CPU cycles. If this detection is ran as spyware in the user machines, it's the users who need to buy faster machines to take the extra load. The game servers are mostly run by the game companies and writing heavy server code which makes exploiting the game engine more difficult, requires much more computing resources from the server. So in the end there is a huge economic component in the decision to run the hack detection as forced malware in the user machines against their will and in most cases without fully informed user knowledge.

BrianOctober 14, 2005 9:59 AM

can anyone think of a few ways to get people auto banned (if even temporarily)?
I know I can (using IM to open windows with names in windows header that will trigger a hit on warden's ban list for one, ie IMname - WoW# or WowSharp) Use this method to thwart/DDOS your online competators (ie get them auto banned temp.)

far craftier ideas can be conceived im sure.

PJOctober 14, 2005 10:12 AM

Brian, I was just thinking the same thing. Better yet, have some javascript ona popular WoW page that opens an invisible window with the incriminating title.

The best defense is a good offense - I think flooding crap detection systems with innumerable false positives is an oft overlooked strategy for getting said detection system revamped/removed.

Henning MakholmOctober 14, 2005 11:13 AM

> Well, yes, it's spyware. It's a shame that they
> feel they NEED to do this. But, given some
> experience of online games being broken by
> people cheating, I believe that they do need to
> do SOMETHING.

How about "something" being hardening their protocol such that whatever "cheating" they are worried about gets rejected by the server? It seems to me that the underlying error is that they try to trust code being executed on the customer's machines to further their interest rather than the (particular) customer's. They then end up resorting to offensive and kludgy attempts to control what the customer is running instead of fixing the monumentally flawed architecture that created the problem in the first place.

jblOctober 14, 2005 12:30 PM

Thanks for the heads up. Now I know if I really _have_ to play a game, I'll do it on a dedicated machine that has network software and the game only, and leave all the sensitive stuff on my normal working machine.

More and more that's the kind of thing this sort of spyware is driving us to do.

/JBL

KevinOctober 14, 2005 12:41 PM

This is incredibly stupid. Blizzard should simply set up a drop-box where gamers can submit hacks (in the form of instructions or executable code). Blizzard should reward a $1000.00 check to everyone who submits an un-fixed hack (up to $20,000 per hack or until the vulnerability has been patched and made public).

This puts the hacker in an odd position: "I've discovered this hack. The longer I wait to tell Blizzard about it, and the more friends I tell, the less likely I will get a $1,000 check."

As they say, money talks.

One can imagine particularly skilled hackers able to make a comfortable living off the practice - while at the same time making the practice far, far more difficult to malicious hackers.

Looking at the complexity of their current anti-cheat system, I cannot imagine that Blizzard would lose money on this alternative.

Too much spywareOctober 14, 2005 1:13 PM

@Toby Hede
I agree. If companies are going to introduce spyware like this into games, it needs to be clearly described on the packaging. This way, the buyer can decide if they want to agree to installing spyware BEFORE they purchase the game. I can't imagine anyone searching out EULAs on company websites before buying the games. I suspect that you would have a simple case to get your money back after opening the game, since the EULA T&Cs that require agreeing to installation of spyware is only available after "breaking the seal".

Regarding Blizzard, they need to get some programmers that know how to develop software that isn't so "open" to cheating. The spyware that they install seems soooo much like such a kludge I can't believe they actually think this is a vaible solution. They should have designed the software proper from the beginning.

On this topic, companies need to design online games that connect to a single domain on a single specific port (don't know about WoW). This is basic freshman 101 network client/server programming here. This would make it much easier to work with firewalls (whitelist, schedule access, etc). There is no technical reason this can't be done, it is simply more lazy programming (lazy companies). I did some checking on the online game City of Heroes (Villians) and this game requires a ridiculous list of ports to be open on the firewall in order to work. Their FAQ actually suggests bypassing or turning off your firewall to get the game to work! Unbelievable! Needless to say, I won't be buying this game (much to the disappointment of my children).

JemaleddinOctober 14, 2005 2:03 PM

What disturbs me isn't some concern about Blizzard: it's that Windows is allowing any old process access to every other process! Whose idea was that? Is something like this possible in other operating systems? Please tell me that MacOS or linux is smarter than this.

Pat CahalanOctober 14, 2005 2:06 PM

My problem with this is that the widget used could be exploited itself in a way the designers never considered. Hack the widget to send non-hashed information (and more of it) than the original designers intended, and someone can gain quite a bit of useful information using a tool that is trusted by the system.

This is bad risk analysis -> the tool is designed to prevent clients from hacking the game, but the tool itself isn't evaluated for possibility of misuse.

A ridiculous example -> give a cop a nuclear weapon to arrest a subject. It might work, if the suspect thought that the cop would actually use it, but it's way out of scale :)

I agree that online gaming companies have a responsibility to their communities to make the game enjoyable, and I'm glad that they take this responsibility seriously, but this is obviously not the right solution for the problem.

JoshOctober 14, 2005 2:07 PM

Sure glad I stopped playing WoW and uninstalled it, reading all this kind of pisses me off they did something like this with out stating it.

And anything I don't know about that is installed on my comp is spyware and doesn't really make me to happy, no matter what it does. They needed to state this when I installed it.

LarryOctober 14, 2005 10:08 PM

Interesting, but not surprising, that any program can jump process boundaries that way. Makes me feel real secure running Windows.

Miss_LainOctober 15, 2005 2:12 AM

"Next, warden opens every process running on your computer. ... I watched warden open my email program, and even my PGP key manager."

Why must a game/company scan open programs/processes completely unrelated to WoW? I can understand their checking for suspected programs on their banned list and matching up data patterns, but why personal email and personal finance programs? Why resort to reading text from open windows, again from programs completely unrelated to WoW?

Granted, it's reported that no personal information is retrived, but a couple of unanswered questions remain. What is done with the retrieved information once is has reached Blizzard, assuming Blizzard is the destination? Is the data analyzed and immediately deleted? Or is it stored on Internet connected machines that someone with an unscrupulous initiative can hack into? It's not the machines holding the collected data that scares me, but what happens when someone of ill intent gains access to potentially vast amounts of data gathered from millions of computers.

If something is prowling around my Personal Computer, I think I have a right to know what is being sent back home. Maybe it isn't everyones definition of spyware, but a program that doesn't divulge exactly why or what it is doing is a form of spyware.

da chickenOctober 15, 2005 4:05 AM

If my understanding is correct, Warden does the exact same thing as Valve Anti-Cheat (VAC). It scans memory for signatures of known hacks and does checksums on game files. It's not reporting any information to Blizzard except when it detects something bad. The only personally identifiable information it gathers is the account name. Warden only runs while WoW is running. It's not scanning your browsing habits (Blizzard doesn't have direct advertising), doesn't gather passwords or bank account numbers (this is blatantly illegal), and doesn't scan for your 80 GB of cracked games and RIAA/MPAA media. Warden is a *feature* to protect users from playing in an unfair (and not fun) environment. Or does nobody remember the Diablo days of Battle.net?

Why does it open every process? Because it indiscriminately opens every process and checks if it is a known hack. It doesn't care if it's outlook.exe or firefox.exe or bittorrent.exe. It scans every process looking for known hacks.

If you're not willing to agree to allow Warden to scan your PC for WoW hacks, ** don't play WoW **. You read the EULA and the ToS and agreed to it. As Mr. Wonka said, "it's all there, black and white, clear as crystal". Blizzard is protecting their multibillion dollar game network ** and your gaming experience ** by ensuring that all participants in the game aren't hacking.

It's Blizzard's game, Blizzard's network, and Blizzard's rules. If you don't like it, DON'T PLAY.

AnonUKOctober 15, 2005 6:36 AM

This is an excellent way of highlighting the legal aspects of software licensing and the liability-shifting-doging of software vendors. The more litigation around this the better, the more EFF and individuals alike who can afford to fight these types of things the better. From the perspective of Blizzard they wan to protect their revenue and take-up of the game, but can we trust them to protect our privacy?, no, changes of management or ownership or business case could effect this 'trust' considerably, and who is to say that bliazzard wouldn't utilise and sell this data - other organisations do (*this is conjectured here but search legal journals et al to find the truth). In the US the corporations own your data, in Europe, and specifically the UK, the company is a data processor/controller, and you are the data subject, they have to have your consent for everything they do with that data and follow strict guidlines. They have to keep the data they hold on you secure, and it has to be accurate, and for lawful purposes. So whatever the EULA, you still have many legal rights (in the UK). If this is spyware, a backdoor as such, it has to be made clear that you are authorising this, otherwise I would argue that it is unauthroised access. Also if you have agreed to their cloudy terms, in the UK (Human Rights Act), you have a right to privacy, and that right is quite clearly being challenged. It's back-door into your computer, you have trust the company, and its polcies, practices, ethics, and all those others involved. What guarnatees are given. Hm......

LarryOctober 15, 2005 7:09 AM

There are at least two issues here: privacy and OS security. I'm concerned that the OS does not do a better job of fencing the processes. If this can be done in the name of DRM, what about other "programs" that can climb aboard and mess with your other processes?

The next questions are, *how* do they do it? ...and *how* can we stop it? Is this the Windows' Ring 0 problem at work? If WoW can do it, so can those with less honorable intentions. I see this as HUGE. Yes? No?

Red_BlueOctober 15, 2005 9:23 AM

It's trivial to read memory belonging to other processes in Windows from userland by invoking standard kernel services, no need to write your own driver for it. This can be done for example by using "ReadProcessMemory" from Kernel32.dll.

Y Pennog CochOctober 15, 2005 9:58 AM

So Warden scans your whole computer, and that _looks_ bad. Very bad. But unlike a policeman, or a workman fixing your house, Warden can genuinely forget what it has seen, before telling anyone else.

Does Warden send personal data back to Blizzard (someone check the network packets please)?

Does Warden keep a persistent record of its searches, detailed enough to include personal data that other programs might steal?

Until evidence to the contrary appears from a reliable source, I believe that the answer to both questions is NO, because there is no need for Blizzard to do such things.

If the answer to either question turns out to be yes, then and only then should the shitstorm begin.

Meanwhile, there is an issue of informed consent here, in that most people don't read the EULA. Perhaps EULA's should be followed up with a multi-choice questionnaire on their contents before installation continues. Something as simple as "What is the security process called?" and "What does it do?".


LilBambiOctober 15, 2005 10:12 AM

An earlier comment stated "Imagine I walk into your house without your knowing. I don't take anything with me, just have a look around. And remember some things. It's not stealing, right?"

No that's not stealing. That's criminal tresspass, possibly Breaking and Entering (B&E) depending on the circumstances of the entry. And it might be considered 'casing the joint." ;-) If so, that would constitute illegal entry.

The ends doesn't justify the means.

Red_BlueOctober 15, 2005 10:36 AM

"Does Warden send personal data back to Blizzard (someone check the network packets please)?"
Blizzard already has the personal data of the user. What the Warden module sends, at least and based on reverse engineering, is information about what that particular user does with his/her own computer in addition to running the game. This is certainly personally identifiable information about private behavior occurring entirely inside the user's premises.

But Blizzard is not willing to discuss the details _AT ALL_. It's worse than a normal adware type of spyware vendor, because they at least try to tell some story about what their software does, after being pressed about it.

It's also interesting to note that in some countries the law strikes down any private contracts (EULAs), which prohibit private hacking of software (modifying a game with your own code for example). It's an inalienable right of the consumer to change the software in any way he or she wishes, as long as the changed version is not distributed.

If the said software tries to effectively prevent this by sending an alert to the software company which then remotely disables the software and breaks the contract (banning from servers), it's against the basic principle of the law, even if not the letter.

LBOctober 15, 2005 9:29 PM

What about if someone hacks windows? What if they hack the library call that warden uses? This would then return the list of programs would never include any of the suspect ones. A user trying to hack their own computer can certainly do this.

This is a really stupid way to proceed. Hasn't Blizzard learned anything about securing games? They knew WoW was going to be online when they started it, why didn't they bother with proper security?

I like the $1000 per hack suggestion. That means that the hack authors can get money, and it will help blizzard guard against that hacks. It may not work though, as people want to hack, not out of monetary incentive, but subversive drive.

Ari HeikkinenOctober 15, 2005 10:21 PM

I guess it would be futile to point out that windows wasn't designed security in mind, its access controls are a joke (there's like 10 ways to get around any security feature on it by abusing bad filesystem, registry or other permissions), any windowed application has complete control over the desktop and all other windowed applications (it's possible to enumerate all windows, spy on their content and window messages, send any window message to any of them and it's even possible to draw anywhere, either to individual windows or the desktop window itself). And what's worst, it can't even be fixed without breaking most of the applications people use.

!October 15, 2005 11:42 PM

Anyone who uses closed source proprietary software and expects some degree of security is a fucking fool.

Red_BlueOctober 16, 2005 12:55 AM

>Hasn't Blizzard learned anything about securing games? They knew WoW was going to be online when they started it,
>why didn't they bother with proper security?

It's not so much about Blizzard not having learned something which others have, it's a cultural thing prevalent in all multiplayer games. There is a false presumption that the game maker could or even should be in control of the client software which is running in the user machines. It's an entirely impossible proposition, basically to design a "hardened" application with present day (DRM/TCPA-free) hardware in a scenario where the adversary has more rights than your application (root of their own machine) and also physical access.

For any multiplayer game to be cheat free (or at least to limit cheats to various bots), the only trusted code must be the server. But this is a huge performance problem, because a server must be able to cater to dozens (or even hundreds) of users and so carry only a small workload fraction of each player interaction. This in turn leads into giving the client control over many things which for security point of view should not be given to the client.

For example, information about the other players is sent to the client even when the client has no need for them (the high cycle demand filter in deciding which "enemies the player sees" is in the client, the server may send data about all of the players in each "map", "field", "realm" etc.). Also the client is left to decide how weapon shots are resolved (limited accuracy, perfect accuracy, "ammo", "hit points", etc.).

So the basic answer to the cheating problem is just putting more functionality to the server side of the game, perhaps scaling the server side code better for a more distributed server system (so that instead of having to buy 3x more powerfull and 10x more expensive servers, the game hosters would need to just buy 4x more cheap servers).

ChrisOctober 16, 2005 5:33 PM

Some people seem to think that this works only because of a typical Windows flaw. That's not quite true. I know little about Windows but I assume most of that e.g., reading a title bar, is much easier with Windows. However, most Unix-like systems provide ptrace() which allows to read and write the memory of any other process running under the same UID (excluding set-uid and set-gid-processes). Further there are tools like ps, netstat, lsof, fstat etc. Also, all graphical apps on the same X server/session can intercept user-input and see what's happening on the screen. It's certainly not a bright idea to use the same account and X server/session for gaming and working. Last but not least, if you install apps as root - which seems to be state-of-the-art on most Unix-like systems - they can install and do whatever they want anyway.

BonziSamuriOctober 16, 2005 9:14 PM

Bruce,

As someone who has worked in multiplayer game cheat prevention, I have to fully disagree with you. Every major game on the market today comes with an anti-cheat program that scans the computer constantly for exploits. This is a fundamental requirement for every online game today. The games that don’t include cheat prevention are the ones that disappear after 6 months.

I am not sure how familiar you are with the Half-Life series of games, but the primary reason that those games are still popular is that the game creators and several very dedicated third parties have invested huge amounts of time in developing programs that do exactly this. As for the privacy concern, I don’t see it. Since you are allowing Blizzard to run arbitrary code on your computer anyways, you are already running the risk that some disgruntled employee might put in a hidden fdisk routine or other backend. That is the fundamental risk you run when you run someone else’s code on your system, if you want to play an major online game, you simply have to accept that these people are neck deep in stopping the current batch of exploits, that they simply don’t have the time to “spy on you��?. Plus (as someone else said) Blizzard already has your credit card number, so you should be more worried of someone hacking their accounting server, before you worry about Blizzard “spying on you��?.

As a final comment. This entire thing reminds me of a few years ago there was this big hype that anti-virus companies created viruses just to increase their products sales. The suggestion that game developers today are engaging in similar mass fraud is as crazy as the idea that anti-virus companies write viruses.

Joe GesterOctober 17, 2005 3:15 AM

Many of the actual cheats that exist for WoW don't even actually touch the WoW.exe process itself. Largely, these cheats are not due to the insecurity of the client but are due to players unfairly automating gameplay by simulating mouse clicks and keypresses.

They do things like watch the screen buffers and detect color or movement to automate in game gathering. Or simulate key presses and mouse clicks to repeatedly walk a character over the same path, performing the same actions over and over again.

For example, a fun thing you can do in WoW is go to the beach and do some fishing. The character casts the line, a fish bites and the player reels it in. You can use the fish in various ways; they are valuable commidity. This process was hacked by searching the screen for the the image of the little red bobber that the user needs to click on to reel in a fish when it's on the line. When the hack program found it, it would simulate a mouse click on the bobber and reel the fish in.

This cannot be detected by the server because it doesn't use any information the client shouldn't have. It can't be detected by the client because it doesn't actually touch the client's process except through the windowing layer just like the mouse and keyboard do. Removing the capability of programs to generate key presses and mouse clicks would be problematic at best and probably impossible. There is no other way to handle this problem but to detect the program that does it and ban offending accounts.

Other similar issues exist because of the way graphics hardware works. "Wall hacks" plagued Halflife and Counterstrike. They worked by making the walls of the game level transparent so that one could see other players hiding behind walls or other cover, a tremendous advantage in an FPS game.

To fix this by pushing the computations to the server would be completely untenable because of the sheer computation involved. Determining whether or not a character is visible requires rendering the entire scene from the perspective of the player. The server would basically require the resources of a full client client computer for each connection to the server. It would be uneconomical to run the game. This cheating was only corrected with the creation of PunkBuster (a very similar program to Warden).

The idea of a secure client isn't really a sustainable one and I'm sure Blizzard knows this. But to make the game a pleasant experience for the players who aren't cheating, measures like this must be adopted. Otherwise these games rapidly become unplayable.

When PunkBuster came out for the Halflife engine, it was rapidly required by virtually all server administrators. Halflife's engine wasn't run on computers hosted by the publisher but on individual player's computers. There was no furor because the problems with cheating clearly needed addressing if players were going to continue to play the game. The players chose to send their information to the server and keep playing.

While Blizzard hasn't seen the sort of problems Halflife experienced yet, they will soon if such a system isn't put in place. Unfortunately, active scanning for cheating seems to be absoultely necessary for any game of sufficient popularity.

ChrisOctober 17, 2005 10:23 AM

Maybe the central issue is really that people using their PC for too many things. If WoW was a game for a console "spying" wouldn't be possible or necessary but even if it did check for cheats, modifications, helper apps etc. nobody would care. I'm relieved that I have zero interest in playing computer games nowadays. Cheating seems to be a big issue and I absolutely understand that some counter-measures are necessary. However, why not let the user decide whether the watcher should be active on his machine or not. Users could then decide whether they want to play with people that have the watcher deactivated or not. Ok, if a MMORPG really simulates a single world that might require running two parallel worlds.

afxOctober 17, 2005 11:42 AM

There's a wide range of these programs out in games today as people above have already mentioned. What they gloss over or are unaware of is how time and time again they just act as paper wall.

Many variations on the idea of a cheat detector have been implemented and all of them have been broken. Some act like warden, others hook functions or scan files, dir listings and loaded dlls. Some are rolled 'hackaproof' solutions which do all the above and pack the exe to further prevent reverse engineering that are sold to the game makers for large sums.

In the long term however they are just stumbling blocks. They obfuse what they do, how they detect and how they report. The better they are at this the longer they work as advertised, but its never forever. Once someone has figured this out, it usually takes a few days to a month before its fairly wide spread how to defeat it. Sometimes you can just bypass it, sometimes you can disable it, replace it with a fake, feed it false information, or prevent it updating so it can't get access to new fingerprints for newer hacks.

It becomes a placebo for the consumers who, generally, can be compared to the general public when it comes to anything technical to do with computers. They see it updating, they see it scanning, they see big labels 'secured by programx' and they feel safe knowing no one has a greater advantage then they do. The only solutions that have worked to a large degree use a tool like this as a deterent to the casual cheater while using more stateful server code to detect any impossible behavior.

So all you're left with is a program that every 15 seconds scans the titlebar of what you have open, examines preset memory addresses, hashes all that data and compares it, which runs on millions of computers per day for hours on end.

Things like this drive the computer hardware market. Ten years ago that sort of thing would have been stupid to even suggest.

Of course the whole black list of hashes has its problems. Who knows what blizzard could put on their list? How about macro programs from small companies. If you want to play WoW you can't use programs x,y,z. Whats to stop the next company going one step further for the 'sake of security' and sending back all hashes of running programs or banning rival products outright?

Like someone mentioned above, flooding these sorts of systems with false positives is usually easy and a way to make the companies and developers realise they aren't the magic bullet assuming they weren't aiming for the placebo effect outright. Name your next WoW hack some common program name. How does it report a detected cheat? Does it send username/ip/cheat hash? Does it check all these fields and confirm them? Where does it send them? Can it be faked or flooded with nonsense?

Keeping what it does, even a general overview of how it runs, detects and reports a secret just seems to scream trouble.

ChrisOctober 17, 2005 12:46 PM

I wonder how long it's going to take until the first virus/worm appears which causes WoW to detect a "cheat tool" and locks your account up. Maybe you don't even need a worm for that, just make your victim visit an URL which the "wrong" title into the browser title bar or maybe there's even a flaw in WoW which allows to trigger a false-positive from inside the game.

Too much spywareOctober 17, 2005 5:51 PM

@Larry
@Ari
@Jemaleddin
@any others that commented on Windows Security...

The problem is not the Windows OS. In fact the Windows can be _very_ secure. The problem is the lazy programmers (and companies) that write software that can't run in a secure environment.

I don't have WoW, but I know of many games that will not run when logged in as a user with restricted (normal) user rights. I have found that most games will only run if the user is logged in as the administrator (or a user with admin privileges).

Is this a problem of the OS. NO! This is a problem of lazy programmers writing crap software that has to run with administrator privileges.

Does anyone know if WoW has to run with administrator level privileges? I would expect it does!

Red_BlueOctober 18, 2005 2:35 AM

>To fix this by pushing the computations to the server would be completely
>untenable because of the sheer computation involved. Determining
>whether or not a character is visible requires rendering the entire scene from
>the perspective of the player.

Not true. Whether the target is visible to a given player can be resolved to a sufficient accuracy with a much simpler ray tracing algorithm using a coarse wire mesh world, the kind of stuff that was already possible before the C64 time. It is already done by the "other side" in aimbots which have adaptive tracking (check whether they are attempting to track a target which is behind a wall for example, just to lower the "cheating profile" observable by the other players).

Also, it is indeed entirely possible to some extent combat bots in the server side by employing statistical analysis. The kind of WoW "fishing" exploits you mention as well as "too perfect for a human" targetting in FPS games can be effectively countered with moderate cycle expenditure.

Because some of these systems are not deterministic enough, they would probably not work with the "silent banning weeks after violation" policy, but would have to just filter "offending" user commands until the performance returns to values not exceeding much the best "likely human" responses recorded. I think this would be much better anyway, so that it would control just game playing behavior and not drive potential cheaters to also obtain the software and accounts fraudulently (which is the result in banning users instead of hacks).

Like I mentioned already, the problem is not unsolvable solely in servers, it just needs somewhat better servers. It's a business choice to impose unethical and potentially illegal spyware, instead of making more secure games.

I'm afraid this balance is not likely to change until the spyware delivery systems are compromised for other malware in a big way and some game makers sued. There are credible plans in motion in the game hacking community to pull off exactly that. In my opinion the hard (an unapologetic) line chosen by BonziSamuris and their camp is what drives the constant escalation of the situation. The anticheat community is making it personal by effectively attacking people and not code. It cuts both ways and just leads into a harmless game fun being turned into a blackest hat painting competion.

Joe GesterOctober 19, 2005 6:54 PM

I doubt that anyone will read this post now that the parent is off the front page... but oh well.

>Not true. Whether the target is visible to a given player can be resolved to a sufficient accuracy
>with a much simpler ray tracing algorithm using a coarse wire mesh world,
>the kind of stuff that was already possible before the C64 time. It is already done by
>the "other side" in aimbots which have adaptive tracking (check whether they are attempting to track a target
>which is behind a wall for example, just to lower the "cheating profile" observable by the other players).

I am familiar with this technique and I was under the impression that it was not adequate without the advanced information about player heading, field of view which only the client has. That is to say, it is faster because it already has much of the required information precomputed. This would not be available on the server. Even if this were a speedup, remember that on the server these computations must be done for every player against every other player and that (in the case of halflife anyhow) the server cannot be assumed to be running on faster hardware than the clients. I'm not convinced that this would work. You may be right though. I'll have to read up more on that technique.

The issue of "too perfect for humans" has been a commonly proposed countermeasure and certainly works against naive hacks but can be countered simply by making the software not preform perfectly (adding random delays, intentionally missing, etc). The simple response hackers would've used in the fishing case would be adding a random delay before clicking in a slightly randomized location.

Cheating like this will always devolve into a race between the cheaters and the anti-cheaters. Even if the games were made more secure by pushing large amounts of the fuctionality to the server, avenues to cheat would remain open.

Finally, I couldn't disagree more with the idea that the spyware delivery systems are somehow more vulenerable to malware than the game itself. I'm not entirely clear on what you mean by this premise. Warden is delivered entirely through online updates to WoW itself and is makes that protocol no more vulnerable than it would be otherwise. While, yes, it would be great if the game itself were more secure than it is, it would also be great,if my web browser were more secure or my email client or my media player. Since lawsuits don't result when the any of these applications are the target of malware, what is different about anti-cheat software?

Red_BlueOctober 20, 2005 2:01 AM

>I am familiar with this technique and I was under the impression that it was not
>adequate without the advanced information about player heading, field of
>view which only the client has.

If you are going to calculate the target visibility for each player against each other player, then you would not need info about the player heading or FoV (just location). On the other hand, if the client is changed to send this information (low bw requirement), then you can limit the calculation to targets which are within these parameters and lower the required computations to a fraction of the player population for each checked player. So the methods you describe are mutually exclusive

>The issue of "too perfect for humans" has been a commonly proposed
>countermeasure and certainly works against naive hacks but can be
>countered simply by making the software not preform perfectly (adding
>random delays, intentionally missing,
>etc).

But then the countermeasure works. I propose that the objective of the anticheat system would be to remove or limit the unfair advantage, not to ban and personally attack the cheaters (users) or hackers (coders). If the effectiveness of technical cheating is reduced to same as using 14 hours a day to play the game (as opposed to using a lot of time to code your own hack) and gain unfair advantage that way, I think it works just as it should.

>Cheating like this will always devolve into a race between the cheaters and
>the anti-cheaters. Even if the games were made more secure by pushing large
>amounts of the fuctionality to the server, avenues to cheat would remain
>open.

Sure, there is no way in stopping cheating completely, even with free clients and server anticheat code. This is part of my point actually, because pushing the attack to the clients and banning users without recourse instead of targetting hacks has not and will not solve the problem. It's overkill and it has many drawbacks. Why not eliminate all of the undesirable side effects of anticheat development and enforcement, and just reform the battlefield into a confrontation between the server side filtering code and the hackers. I'm just proposing to remove collateral damage, not that server side filtering will make the hacking problem go away entirely.

>Finally, I couldn't disagree more with the idea that the spyware delivery
>systems are somehow more vulenerable to malware than the game
>itself. I'm not entirely clear on what you mean by this premise.

The game itself is updated very infrequently and the update mechanism is of no interest to the hackers. Also, there is AFAIK no interest with the game developer to hide from the user that an update is being offered and conducted (at least if it doesn't include any anticheat code, if it does, then it's part of the spyware problem).

OTOH, the spyware side is made to mimic the hacks in avoiding detection (or more accurately, detection of changes which will add more elaborate scanning). These same measures; encryption, polymorphism (changing between runs, being different between client installations, etc.), anti-debugging features (limiting functionality if ran under an IDE or kernel sandboxed environment) are used by trojans and worms to avoid detection by IDS/antivirus programs.

I'm worried that after someone breaks the code authentication of the game to check if the spyware update is valid (which will most probably necessitate reversing the above described "countercounteranticheat" properties), it will result in a trojan which will take all these fancy "developed with highly paid top of the line people" features and add some extra evil code which will go beyond the game. That way, the trojan attacking the gamers disguised as a "Warden module", will be much more difficult for typical clueless users and even the antivirus companies to quickly develop a defense against. Basically, it will shut the whole game down for months, potentially create millions of spam relaying zombie machines etc.

The basis for the lawsuit will be in traditional tort law. The game came with highly evolved and aggressive spyware and the data protection risk from this functionality was not communicated to the user with proper means (vague EULAs don't count) and this caused the property damage/liability/loss of Internet services etc.

Everybody knows that Windows is full of security holes which are being patched once a month and exploited all the time. What game users don't know that well is that the game companies are using more and more advanced measures to take complete control of the user machines, against code which is ran by some users themselves in the privacy of their own homes with their own equipment. I'm sure Microsoft would be sued in an instant if Windows sent to Microsoft servers alerts when it finds Linux dualboot in the drive and then refused to boot after that (this is exactly what the spyware anticheats do).

TimOctober 25, 2005 10:26 PM

The fact remains. If you dont want them to scan your computer dont install or if you have it installed, uninstall it, and shut up. Dont play the game.

Cyrus NajmabadiOctober 26, 2005 6:54 AM

Red_blue: "But then the countermeasure works. I propose that the objective of the anticheat system would be to remove or limit the unfair advantage"

You're incorrect here. The countermeasure has *not* worked as the "cheater" still has a significant advantage over a regular person. What's the advantage? That they can run cheating app non-stop (like while they're sleeping) to have their character do things like collect resources that they would have normally had to work for themselves.

And no, you can't just say: "well, if the character is doing such and such an action for 8 hours straight, then it's cheating". Many people (including me I'm ashamed to say) have easily spent that much time straight through doing one of these tedious activities.

These kinds of apps give a significant advantage to cheaters as they now allow them to level up and obtain resources *without* actually playing. This is completely unfair to people who do invest time in this game, and these actions should be banned.

Unfortunately, as you seem to realize, it's pretty much impossible to detect this sort of thing from the server side (unless you have evidence otherwise). The connected-computer doesn't appear to be non-human (since the app doesn't do anything crazy, it just automates boring tasks that a human would have to perform themselves).

So what do you do about such a thing?

You could ignore it. Wave your hands in the air and say "sorry, nothing can be done", and then watch your online gaming service fall apart since people get fed up with cheaters (which we've sene happen on many occasions). Or you can be proactive about it. Invest resources in ensuring that people are abiding by your TOS.

For people who are abiding, there is no damage whatsoever. For people who are not... well... really... why should we care about them?

They're cheaters. They're people who are violating an agreement. And, in the end, all that will happen is that they'll be banned from the game servers.

OvinomancerOctober 26, 2005 7:52 AM

The issue of The Warden being potentially harmful doesnt need to be debated anymore. If you are concerned about what info The Warden collects you should close every other program and close all processes that you know you dont need. And if you dont know what you need and what you dont, DONT post on this blog and act like you know what your talking about.
Where is the friggin EULA that Blizzard agrees to everytime you connect because the third-party programs clients can run are more likely to be harmful than what The Warden does.
And I dont know about the anyone else but i surely didnt sign a contract with BLizzard saying i was going to pay for X number of months. IF YOU have a problem with what they are doing, quit the game. No one is physically going to harm you if you stop playing. Essentially people are paying their own money to have Blizzard run spyware on their systems. If you want it to stop, stop playing WoW. That is the real issue. you people are to addicted to do that, in that case they have done what they set out to do.
If you want to send Blizzard a message, quit paying for WoW and if enough people do it, they will lose too much money and be forced to agree to whatever will bring players back. Until then, stop complaing and grow up.

MatthewOctober 26, 2005 12:52 PM

"Once these strings are obtained, they are passed through a hashing function and compared against a list of 'banning hashes' -- if you match something in their list, I suspect you will get banned."

Who is to say that the "you match something in their list" is not a website you visited or a program you are using?

Everyone is completely right, under the EULA you agreed to install the program and if you do not want it then un-install the game, that does not make the potential of what "The Warden" could do irrelevant. Who is to say there won't be other programs/games to start implementing this to stop you from changing or modifying their program without their approval in the name of intellctual property protection.

You may laugh at this thought but look at the lengths the industry is going to to protect itself now.

It may not be so much what this 'Warden' does as to what other developers feel they could get away with due to the success/failures of it. The industry is already look at ways to also tailor advertising through games, maybe this is another way to do it, wouldn't that be a hell of a can of worms.

I can understand the need for the program as I am an avid online gamer in CS which has rampant hacking/cheating but how far do we let the developer go??

Interesting path Blizzard has laid out.

HehOctober 26, 2005 9:04 PM

It's simple... if you don't like the way they enforce the rules... don't play the game.

user0101October 30, 2005 2:52 AM

The game requires admin privileges to install. I just allow a normal user access to the WoW folder and run it with non-admin privileges. This works fine and hasnt impacted anything so far.

I have no idea how warden is launched (UID, etc) and how much power it has when i run it with non-admin accounts.

Installing the game as admin kinda defeats the purpose though..

"trust" is key here :)

s33kerNovember 9, 2005 1:07 PM

I play World of Warcraft avidly. But that fact aside, I believe that a scan of the computer as performed by the Warden under the context of protecting the experience provided by the game and in the absence of data collection is completely fair.

One of the concerns is that the warden will read personal information from window titles. Perhaps I'm alone in this but in order to increase in-game performance, I close all applications prior to launching the game. And if none of the data is sent over the Internet or stored on the computer, then what's the harm? In any case, I'm certainly not in the habit of multitasking my online banking and role-playing.

In the EFF post, the author asks how blizzard executives would feel if we went through their bank account, read their mail, etc. but didn't write anything down. This analogy is flawed because a human observer has a memory and retains knowledge of what it observed. It's "written down" in your brain and available for analysis and judgement. A computer that doesn't store any of this information doesn't have it "written down" anywhere, nor does it make it available for a human observer to analyze it.

Somebody above said they feel unclean knowing that Blizzard has been scanning their computer since they installed WoW. From my understanding, the warden is part of the WoW executable and, therefore, only runs while you're playing.

I do impact analysis and vulnerability assessment for a living and this one rates low on my scale. I'll be playing WoW tonight.

AnonymousNovember 11, 2005 11:03 PM

Blizzard is not perfect. I have been playing WoW since December and I have never hacked or exploited anything. As a legimate player I don't want Blizzard spying on me. Unfortunately about 2 months ago, I got banned for supposedly speed hacking. I told myself that it was just a mistake that Blizzard made. They refused to present evidence. All I wanted to do was just play WoW. I know now that The Warden probably searched my computer and mistook something as a hack. Blizzard saw and just assumed I was hacking.

ValerJanuary 4, 2006 1:25 AM

I am a WoW player,and i'm actually deeply concerned about this situation. i've noticed the program running on my computer and noticed that it does send information to some other IP source that i could not indentify.
If there is anymore that i can help please contact me via e-mail

AnonymousJanuary 4, 2006 5:20 AM

Think about it this way: YOU'RE PAYING FOR WoW. DO YOU WANT SOMEONE HACKING YOUR ACCOUNT?

Jeez, what's wrong with you people? It's not like you don't already GIVE THEM YOUR CREDIT CARD NUMBER. If you trust them enough to give them your credit card number and have them bill it, I think you should trust them enough to run a safety check on your system. Imagine what would happen if someone HAD ACCESS to your account, which is ALREADY LINKED TO YOUR CREDIT CARD (albeit protected by a million safety nets; but you're being paranoid, I'm not.). I think Blizzard's doing YOU a service by protecting you from hackers on their servers.

I don't even play WoW. But I would LOVE this feature in the Blizzard games I do play. Hell, I go out of my way to play on a ladder system that does this in Starcraft (PGT). What are you complaining about?

@THedglinJanuary 6, 2006 1:34 AM

This entire thread is useless.
The truth is warden is a program most likely on your computer if your reading this article. It isn't as necessary as they would have you belive but its there. Thats not going away, or changing anytime soon. Is it spyware? Perhaps so but we all installed it. The law doesnt protect the end-user just the company. Blizzard is not a poor company they could afford to host accounts on servers. They could also safeguard just the exe from outside intrusion. However, spying on us is cheaper and takes less time. Is it right or wrong, I do not know I do not have a degree in business ethics. But if they are harvesting info Its no diffrent than most spyware hash or no. If blizz is so worried about hackers why put your info out there to decrypt??
You have to admit it sounds pretty fishy. But, what are our alternatives, I can tell you im not boycotting anytime soon.

..January 10, 2006 11:15 AM

There is no conspiracy or ufo's behind this one folks. Just a company trying to pin down those reverse-engineers and cheaters that's all there is to it.

Pat CahalanJanuary 10, 2006 12:58 PM

@ Anonymous, THedglin, ..

This is a security blog, not a gamer blog. The question isn't whether or not Blizzard should take steps to make it difficult for cheaters to exploit their games, that's an economic problem for Blizzard to solve.

The issue is that the particular method Blizzard uses to enforce EULA compliance has severe security implications about which end users are probably not aware.

Moreover, the security question doesn't stop at, "Do we trust Blizzard not to use the potentially malicious capabilities of their spyware?", but includes:

"Do we trust Blizzard's programmers, after they no longer work for Blizzard?" (especially if their relationship with Blizzard doesn't end well)

and

"Do we trust that Blizzard's spyware is secure and that no one other than Blizzard can hijack Blizzard's spyware?"

It's a question of transitive trust.

MahealJanuary 11, 2006 8:44 PM

I don't know why Blizzard decided to tuck the "agreement" away in a verbose EULA that could gain a notorious image of malicious spyware (or potential thereof). They should present a blatent choice everytime you log in.

Would you like to:
A) Log into a server that runs Anti-Cheat software. This software will scan your computer and everyone else to reduce hackers and cheaters. Violators are reported to Blizzard

or

B) Log into a server that does not run Anti-Cheat software. Blizzard will not monitor or report anything on your computer, but you take the risk of others running hacking software.

This would eliminate issues from 1. People who don't read EULAS 2. People who don't like spyware. 3. People who want an honest game. 4. People who want to cheat. 5. People who think Blizzard is being sneaky/malicious 6. People who change their opinion after buying a game. 7. People who are unsure of the whole issue (they have to make a choice before login) 8. Running software that triggers false alarms. 9. Potential/perceived flaws in Warden.

I can't think of anything bad out of Blizzard outright saying "We can use anti-cheat software if you want us to. Which server do you want?"

Any thoughts on this?

Maheal

RogerJanuary 11, 2006 9:50 PM

@Maheal:

> Any thoughts on this?

Uncommonly good sense, I would say. Why not suggest it to them directly?

misfitJanuary 14, 2006 8:17 PM

What I haven't seen mentioned in this discussion is that the 'warden' software has also been included in Diablo 2 as of the 1.11 patch. This has been rather disasterous for quite a few Diabo players as, not only does the warden induce a lot of lag to the game, it also requires quite a bit of processing power to do it's scan every 15 seconds. Diablo 2 is more than 5 years old and a lot of people are playing it on PCs that struggle under the extra load that warden imposes. I know of several people who have given up playing D2 since the introduction of warden. However, this could well be a predictable outcome forseen by Blizzard and actually welcomed. After all, unlike WoW, you don't pay a monthly fee to pay D2. Blizz aren't going to care if a certain percentage of people who've been happilly playing this game for several years give up now. After all, they need all their servers for hosting WoW. However, when you consider that Diablo 2 is still being sold (with fairly low system requirements listed) then it becomes another issue.

JamesJanuary 17, 2006 1:18 PM

i don't know why I'm weighing in since arguing on the internet is indeed like running in the special olympics, in that even if you win you're still retarded.

But that aside. i am a security professional. for one of the largest internet/network sceurity companies in the country (actually THE largest i think).

My department specifically hands forensics and intrusion.

now truthfully, I'm not sure what the up in arms is about warden.
Perhaps those people are just finding out that companies do this now. And to others, such as myself, who has seen it date back to the early 90 in MMO's and other games, it's nothing new.
Perhaps not.

I hate to mention it, but what blizz does with warden is in fact not illegal in any means. In fact, it doesn't even walk the edge. It doesn't even come near the line of "shady". there ARE games out there that do. I've played them (and am playing one now), that has a program running that I actually felt the need to write a counter script for because I saw it do two things in particular that if I was running ai ninvestigation on it i'd probably take drastic steps over.
But warden?
Really?
the only way to describe my home network security is to use the term "overkill". To say the least. And of the variety of process I have running and am tracking at any one time warden doesn't even register with me. Or my network sensors.

I've had comcast call me three times now saying "why am i receiving security warnings from you?"
And I'll do the research and say "oh, because one of your idiot technicians did X while on my subnet, and I ddn't apprecaite it."
To which the reply always is "you SAW that?!"

Warden isn't spyware. It isn't malware. It isn't snooping your computer. It isn't recording data.
Just to clear up the other stuff too.
We did land on the moon.
There was no UFO at Roswell

But "they" might actually be out to get you. So keep looking behind you.

aaronJanuary 21, 2006 3:45 PM

there are still pleanty of people running bots and other stuff... guess its not working so great?

KaraFebruary 23, 2006 12:53 PM

how exactly can I protect my email account from individuals hacking into it and reading my mail. Other than changing passwords, which I've already done?

ChigginsAugust 6, 2006 8:23 PM

This whole fuss is because they chose to make a game that requires grinding and time, instead of making a fun and renewable experience.

If the game was not a boring job to play, there would be no cheaters in the first place farming gold....

guardianSeptember 25, 2006 2:49 PM

I was in the hospital on and off for a month. i got online for the first time the first tuesday afternoon on Septmber 2006,and logged on to see that my account was banned. Also at this time a very large sum of money was withdrawn using my visa check card-there is an ongoing investigation into this-and i have retained the service of a law firm to determine if in any way these incidents are connected-i believe they somehow are and will continue through legal and civil actions to get to the bottom of this-stay tuned for updates!-oh i have had this banned account now since WOW started-and no i am the only one that uses it!

DraconianFebruary 9, 2007 2:02 PM

I am a player of -World of Warcraft- I am not very old but when I see this information being told to me it is very alarming. I (like most) value my privacy, and I dont want someone sneaking around on my computer. I mean i thought i got all this Spyware protecters to keep me from having this issue. but i guess it can't stop it. 1 question, Is there anyway to stop this from getting in to my computer? If there is send me an email telling me how and were i can get this software.

My email is- xjadohunter@hotmail.com

Thank you.

AnonymousFebruary 9, 2007 7:28 PM

"Jason Justice, speaking on behalf of members of the Low Red Moon guild, said many in its ranks supported the programs used by Blizzard if it kept the cheats out of the game."

Blizzard are patching over bugs in their software by trying to catch cheat software by surveillance techniques on player's PCs. Wouldn't it be better if they used better programming techniques to stop cheat software?

I am not a dedicated gamer but this makes me think of something that happened to me years ago. I purchased Half-Life II when I did not have an internet connection - I found out the hard way that Steam requires Internet validation. Later, I came across the "daGamesta" offline installation method that decrypts the software without using a Steam server (this is only good for stand-alone play). Search using "dagamesta steamless install" if you want this. There were some bugs that prevented certain parts of the game from being played but something was a lot better than nothing (thanks daGamesta!).

Due to the heavy load on the Steam servers, there were some teething troubles in the early days getting things to work.

Many months later, the "PC Gamer" magazine May 2005 issue issued a "Half-Life 2 Full Update Pack" on their magazine cover CD. I think this was a commendable attempt by Valve to offer an update method for their customers that was not bandwidth intensive (faster update for the customer and less pain for the Steam servers). Out of curiousity, I tried to install the "update" using daGamesta's method. Guess what it worked fine; I could finally play the whole game without bugs.

Now take a step back and review this story.

Valve released a patched copy of their game that could be installed using a utility that had been freely available on the Internet for many months without paying or registering with a Steam server.

That tells you all you need to know about security awareness in the games industry.

jimbobMay 1, 2007 9:13 AM

People dont get the whole concept of privacy really. They're just trying to catch a few cheaters, well prob is that the vast majority of players arent cheaters or hax0rs or whatever.. they just wanna play a game. They dont want to worry about a warden or some stupid crap some ppl threw in a eula, and most arent aware, and dont 'close all processes and run supersecure systems or whatever nonsense' They trust that a big company isnt going to do this sorta underhanded shit and maybe 2 years later when they find out that something WAS spying on them, their privacy has already been violated, and they cant go back in time and close down their pro-democracy or pro-muslim website or their kinky fetish site or devil worship site or well, you know. I mean if I KNOW someone's using video cameras on me im not gonna walk around buck naked singing I'm too sexy in my hotel room. Privacy has so many little things it effects that u dont understand really. I read a eula once for partypoker and I finally saw that they take screenshots, i uninstalled that program forever but still i had 2 years that i was unaware of it with some fuckers in some gambling island looking at my emails cooking up a scheme to blackmail me by telling my wife I had a girlfriend. Let's just set some standards so that when u do something stress-relieving and innocuous like playing a video game it's not gonna turn into a snoopfest where u have to worry about shit like this. If someone cheats well then they cheat, i dont care, i dont care enuf to have to worry about jose and his blackmail schemes over a stupid friggin game ... get a life guys.

mikeMay 13, 2007 12:02 AM

Is there any way to rename a program that is running? besides actually right clicking on the icon and renaming it. Or is there any way to hide your program from the warden?

darwinn21May 17, 2007 5:03 PM

this is not actually a comment but a question.to "BLIZZARD ENTERTAINMENT"
MY QUESTION IS DO YOU GUYS HAVE A PLAN TO FINISH THE STORY OF THE GAME STARCRAFT BROODWAR & WARCRAFT FROZENTHRONE THIS 2 GAMES ARE SO IMPORTANT TO ME. IM SO EXCITED TO PLAY THE CONTINUATION OF THIS 2 GAMES YOU CREATED THE STORY IS AWESOME...PLS RELEASE THE NEXT EXPANSION...PLEASE!IM DYING TO KNOW WHAT GONNA HAPPEN TO ZERATUL,JIM R,& TO KERRIGAN & WHAT HAPPEN TO ARTHAS AFTER HE POSSESS THE POWER OF THE LICH KING...PLEASE
RELEASE IT ASAP...

FYISeptember 4, 2007 9:11 PM

It's very intresting that Blizzard Entertainment was so intrested in Asian Fonts in 1996: "Blizzard Entertainment Signs Long-Term Contract for Core Set of Bitstream's Asian Fonts
Text readability is important." Well let us hope this isn't where our information is going to!!!!!

HackedSeptember 16, 2007 2:25 AM

Okay, I'm not technical but from my own experience, what I have discussed with other WoW gamers, and what I have read, Blizzard is continually being hacked.

I know enough to understand that simple Username and Password are not secure. I also know that companies do not like spending time and money to be continually having to fix the same problems over and over again.

So, let's say that Blizzard is operating Spyware and gaining all sorts of information. Would providing their users with proper accessing authentication somehow interfere with or slow down such information gathering activities....????

It certainly appears that Blizzard is reluctant to beef up their accessing security and their Customer Service group must be spending lots of time restoring hacked user’s games. With 9M+ users, one would think they would want to fix the cause….????

KahnDecember 8, 2007 11:09 PM

I have to agree with Red_Blue's assessment of Even Balance, it's pretty dead-on as to how they conduct themselves from what I have seen and heard. What disturbs me more is that being a gamer that is a member of several on-line gaming communities, I have noticed that CoD4 ("Call of Duty 4" by Activision) seem to have a much higher rate of GUID's being locked out, with even buyers that have just installed the game complain that their GUID's are already "banned" by PB (Punk Buster, the anti-cheat system developed and administered by Even Balance). Since the GUID is tied to the CD-Key included with the commercial product, it would appear that the use of key generators is more widely prevalent in CoD4 than for any other PB enabled product that I've seen. Key generators are nothing new, but to see a commercial product that has a higher incident of CD-Keys already in use would indicate that the encryption method used to generate CD-Keys for CoD4 is not nearly as secure as Activision's competitors use.

Punk Buster has come a long way from the time when it actually helped cheaters by booting any player that the cheater opened a flood attack on, and you always have the occasional cheater crying foul on the BB's when they have been caught, but the overwhelming prevalence of people posting that their GUID's have been banned after just installing the game should cause one to question the problem in more detail. These people shelled out $50-$60 bucks for a product that is crippled not by software bugs, but the arrogance of corporate executives unwilling to admit that their "system" is grossly flawed. I hope I never end up as one of these unfortunates.

BigdorMarch 19, 2008 9:21 AM

Regardless, if the data is hashed by Blizzard, it can be unhashed by Blizzard, since it's their hashing algorithm.....and so can anyone knows that algorithm.

If your addiction to WoW is too great to recognise this as a security flaw in your network, then you deserve what you get from the hacker scum.

FitzlightJune 2, 2008 4:48 AM

I am not a hacker. What I know about computing is I can put a computer together, but don't as me to program it. I am simply a person who likes to play RPG. I do not feel that I should be put into the position of having to choose to either give up my right to privacy or the right to play a game. If I was running a game like World of Warcraft I would want to make as many of my customers as happy as I could so I would from the beginning offer them a choice, if they wanted to play straight, without cheats, then they would be able to choose in like a RPG mode and a PvP mode, if they wanted to use cheats then they would only be allowed to play in the RPG mode. Each person would make their choice and would have to indicate their choice before beginning game play and those that want to use cheats would be blocked from being able to enter into the PvP mode and then I would rely upon those who are playing in the PvP mode to inform me if they feel that someone is using cheats and has hacked into the PvP mode. Then I would enter the game and monitor the accused gamer and if I find that they have done what they are accused of then I would inform them that I am aware of what they were doing and then give them the chance to stop are to be banned. I feel that is the best solution to the problem, as there are not great solutions, and it does not require spyware programs to be put onto anyones hard drive.

jjdynomiteJune 4, 2008 7:26 PM

I personally feel as if this is a TRUE invasion of privacy. I PAID them to be able to play their game and continue to do so on a monthly basis, I didn't pay them to keep an eye on me! It's a freaking game, it's not guarded nuclear secrets! there are better ways of handling cheaters then to spy on everyone that plays. whats the difference in that and playing a game of tag football in prison with armed guards watching you? the only difference is you get shot if you get out of line at the prison! whereas blizz will just take everything you toiled, paid and played endlessly for and delete it or suspend you! You also need to read the EULA, it states that Blizzard will decide what is right and what is wrong, so wether you did something intentionally or on purpose is solely up to them to decide, and Dont even try to call and get help, I was actually on the phone with a Blizz rep once and when I started asking questions he was uncomfortable answering, he actually tried to let on like we were having a bad connection and hung up on me....remember also that just because Blizzard is a multi-billion dollar company does not mean that they are all PROFESSIONALS

Wade from ChattanoogaSeptember 20, 2008 12:51 PM

I used WoW for about 2 years. No problems. People are welcome to not get the game if they don't like being checked out for unfair gaming threats.

I mean really complaints complaints complaints. No one likes hackers or having their gaming experience ruined, but then they manually choose a game that checks their computer to prevent hackers and ruining of game experience and then poof I'm so angry now. How horrible they would try and save me from hackers.

Save the hackers, damn the complainers.
Damn the hackers, aggravate the complainers.

VladOctober 14, 2008 7:01 PM

@Christian
But it does send private data. The titles of your windows thaty ou have open. This is private data.

@[EVERYONE]
If it makes WINE not work ima lose a gasket. I hate windows, and mac os x is just as silly.

I want to see where in their end user agreement it says it gives them rights to do this.

Comments on this entry have been closed.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..