On Warden

Offtopic?! Blunders of Aion

2009-10-10T08:05:00.000-07:00

Not to demonize our friends at NCSoft...

So Aion came out recently. Back in beta they were using nProtect GameGuard in an apparent attempt to stop cheaters. It was relatively big news when they pulled it for the game's release (but indicated they may use it in the future, and some sites say it may still be in use in some markets). So first a little bit about this whole GameGuard thing. I tried running the Aion client during beta, and without any other software running on the PC, the damn thing just wouldn't launch. It came up with an error in Korean. I don't read Korean, and I don't think the font is even installed. But it mentioned GameGuard in English. Long story short, I never successfully ran the game during beta. I probably could have, but I didn't bother. I had seen enough. The reason it wouldn't launch? I was running Windows 7. I could have probably copied it over to another PC and tried it, but the GameGuard debacle convinced me that I didn't want to.

I wasn't the only one with issues with GameGuard. Indeed, a quick Google search will turn up numerous problems that players were having with this "protection". And, as it turns out, these problems were basically all for naught. It was easy to disable GameGuard with a hack that someone distributed for free and could be found via a no-brainer Google search. So Aion using GameGuard didn't achieve its goals of preventing cheating, but it did prevent honest players from playing the game. If playing Aion is prevented, only the prevented will play Aion! In other words: FAIL!

And that's without going into any of the gory details of GameGuard! WoW players are lucky to have Blizzard's relatively non-invasive Warden. GameGuard runs a Windows driver (one that is commonly referred to as a rootkit, having complete and unfettered access to your PC, and "secret" functionality. Do YOU trust everything available for download on the internet?), which means that it can easily cause your system to BSOD (and, for many people, does exactly that). It's one thing to not trust your customers (in multiplayer games, this mistrust is necessary to some degree), but it's another to crash their PC, potentially causing lasting damage, while trying to achieve perceived fairness.

So these things presumably contributed to dropping GameGuard for the game's release. Smart move there. But NCSoft wasn't dropping cheat protection entirely, just GameGuard. I don't know of any available information about what protection is in place, and I haven't particularly looked myself, but last night they showed the world that they are still using something. And they're banning lots of people who aren't cheating (along with some who are). What's more, they did it on Friday night and apparently don't provide customer support on the weekends! Good game, NCSoft. Good game. (Update: This is enough of a problem that they are apparently working this weekend)

This has me slightly concerned about my own non-cheating customers. I write software that, by and large, is used for multiboxing (playing multiple characters) by facilitating visibility, ability to easily switch to different characters, and more recently the ability to control different characters at the same time as you control the main. And since my company launched in 2004, no multiboxers using my software have been banned from any game -- there were some accidentally banned from World of Warcraft a few years back, but their bans were reversed and Blizzard gave them free subscription time to make up for the mistake. But, while there are former Blizzard guys at the top of NCWest (US subsidiary of NCSoft) thanks to ArenaNet, and these guys seem pretty reasonable, NCSoft is not Blizzard, and NCWest doesn't exactly control NCSoft. So even though NCWest may be sympathetic to multiboxers, who knows what kind of destruction will be doled out by NCSoft. NCSoft is used to a much different Asian market, and recent law changes in Korea probably carry a lot of influence in what sort of protections the game will have. (Update: Apparently Jeff Strain left NCSoft a couple months ago, and I'm told that my statement "there are former Blizzard guys at the top of NCWest" may no longer be true)

I've spent a good portion of the last few weeks preparing my software for compatibility with Aion. That's just to get it to launch and interact with the game... in a style similar to what X-Fire does, but providing the capabilities in a different way (so as to support additional features such as the ability to manipulate the game window, or put games that don't support windowed mode in a window, and so on). But the end result is basically the same -- my software can provide an in-game interface and indeed X-Fire could be implemented using it (some people use an IRC plugin for my software for example, which allows them to chat on IRC while in game).

But my system is also more likely to be incompatible with a game than X-Fire is, for other reasons. Aion, for example, uses a packer called Themida. Themida is supposed to be one of the best ways to protect a program from being modified, or even reverse engineered (which is often necessary in order to implement interoperability, is used in many disciplines, and is expressly legal to do). But like GameGuard, this is only effective as long as the perceived enemy is unable to bypass it, and there is likely to be collateral damage. Older versions of Themida loaded a driver, and as I described with respect to GameGuard earlier, this meant BSOD and eventually incompatibility with Windows. Themida is also used, legitimately or not, to "protect" malware in order to evade your favorite anti-virus software, anti-spyware software, etc. This means that, for some people who are simply trying to protect themselves against malware, the game can't be played without disabling the anti-virus software, or is detected as malware and destroyed. But hey, at least the game can't be modified or reverse engineered, right? Wrong. Themida only prevents a program from being modified on disk, and even then, only if it is not unpacked. Aion unpacks itself in memory so that it's just like any other program, and once it's loaded in memory it can be both reverse engineered and modified. This means the Themida packing is only so effective in the first place. By using Themida they prevent entry-level hacking of the game, in exchange for looking like malware to various antivirus software, and whatever other collateral damage comes with it.

This happens to be a hindrance to my software because my original design had some related flaws. The way Themida unpacked Aion, it happened to ignore parts of my software. This is no longer the case. Unfortunately it's a lot of work to redesign something that has been an integral part of my software for 5+ years, so there is still work to be done before anyone is using ISBoxer to multibox in Aion. I sincerely hope that Aion does not become the first game to ban my customers for nothing other than multiboxing.

And for what? NCSoft has been so confident that this game would be the ever-so-elusive WoW killer (many have tried, but none have succeeded thus far) that they are trying to protect the game experience for honest players, but in the process have alienated many of those honest players. Honest players who might be purchasing multiple accounts, and telling all of their WoW friends that they should be switching to Aion because it is so awesome. Sadly, bungles early after a game's release can do more harm than having cheaters early after a game's release. Consider that WoW didn't even have Warden until many months after its release. And people cheated! They did all of the things that everyone hates them for doing, and you know what, even with Warden, people still cheat and do the same damn things they did before it came out. You don't have to ban honest players, you just need to create the impression that you are serious about taking steps against the cheaters that people are complaining about. There's going to be cheaters either way.

It seems to me that for all the work put into protecting the game, what they have actually achieved is a limitation on the size of their player base, rather than preventing cheating.

And, while I wholeheartedly disagree that Warden and other anti-cheating software is copyright-related DRM as protected by the DMCA in the US, there are clear parallels to be drawn. For example, some DRM restricts use to specific devices, preventing use of content by potential customers using other devices with the intention of selling more of the device it is restricted to, and many people remove this DRM in order to use it on devices from other vendors. In either case, the trade-off is to alienate some customers in order to achieve some goal for the company. And in the end, the customer that was locked out is able to take the upper hand.

To the company, this is all about money. The company is betting that by implementing this DRM, they will receive more money from customers. The obvious risk in this bet is that customers may not be willing to sign on to their DRM scheme. The company probably doesn't care if the DRM itself causes damage, until it hits them in the wallet.

If you need any examples of DRM causing damage, I have personal experience with one and another is common knowledge. Here's mine first: I made the mistake of installing a game called Splinter Cell: Chaos Theory on my PC several years ago, which used a protection scheme called StarForce. I didn't know or really even care until I later tried to upgrade from XP to Vista, and Vista told me I couldn't upgrade because StarForce is incompatible. Oh, and I couldn't uninstall StarForce to upgrade to Vista, even though I had long since removed SC:CT.. I had to do a clean install of the OS to get rid of it! (There's apparently a removal tool now) And for common knowledge, the words "Sony" and "rootkit" should be plenty, but if not, here's a link (this one actually hit Sony in the wallet!). People in general don't like overly restrictive DRM, and many will refuse to buy something that has it.

The company is betting that all of these factors combined with their cost of implementing the DRM will result in receiving more money than they would have gotten without the DRM. It seems to me that the way to balance this is to avoid overreaching at all costs, not to try to make it perfect. I am reminded of a quote... "The more you tighten your grip, Tarkin, the more star systems will slip through your fingers." It'll never be perfect.

MDY v Blizzard trial results

2009-01-30T09:36:00.000-08:00

Very interesting stuff. Today I will be writing about the court order dated January 28, 2009, found here in PDF form: http://docs.justia.com/cases/federal/district-courts/arizona/azdce/2:2006cv02555/322017/108/0.pdf

The most important point, as I see it (well, it's probably plain to see), is that the court ruled that Warden is protected by the DMCA insofar as that it protects the non-literal elements of the game. That is to say that the game elements generated by the server and sent to your client, which make use of the literal data -- say, a monster here, a building there, etc -- are copyrighted and Warden prevents accessing them if you are shown to be violating the Terms of Service. I would still argue that simply adding terms to the Terms of Service probably shouldn't be applied as far as the DMCA. I don't think it would fly for the RIAA, so why should it fly here?

This will also have implications for other games, and with companies that are far less trustworthy than Blizzard. For example: New game comes out, has DRM that is wider reaching than Warden and includes features that happen to send private data back to the server, and it's protected by the DMCA simply by tying random terms into the Terms of Service. Company doesn't mention it, much like Blizzard didn't come out and say exactly what Warden does (resulting in the Hoglund debacle and other false claims), and until someone reverse engineers it and determines what it is doing, nobody would be the wiser. Cue the ignorant responses: "They have your credit card information from subscribing, what else would they possibly want?" and "Well don't play the game then". It should be noted that until the problem is exposed, nobody would know not to play the game, and something could affect a large number of customers. And of course, providing software that protects your private data from being exposed would be a violation of the DMCA. How do you like them apples?

It doesn't even stop at games. That's just the most obvious. This could harm a lot of modding, of anything at all. A car manufacturer can put such controls on its in-car display system to prevent you from making changes to it by making it a copyright violation to do so. What sense does that make? For further reading on this point, an article at Ars Technica: http://arstechnica.com/gaming/news/2009/01/judges-ruling-that-wow-bot-violates-dmca-is-troubling.ars

Blizzard also won on tortious interference with contract, which they were pretty confident about from the beginning. This is basically that MDY was apparently inducing WoW players to violate the terms of their contract (EULA, Terms of Service) with Blizzard by suggesting they use a bot.

And more importantly at least as far as MDY is concerned, Blizzard is entitled to a permanent injunction against Glider, preventing MDY from making another penny on it, not to mention the $6 million stipulated damages this means MDY owes Blizzard. Or rather, that Donnelly himself apparently owes Blizzard, since the court deemed him personally liable. Ouch.

The two sides have until Friday the 13th of February 2009 to make their cases as to why or why not the injunction should be stayed pending appeal (meaning that MDY of course has no choice but to appeal, and the argument is whether Glider sales should be allowed until the appeal process runs its course) and other minor details regarding the injunction.

So that's it for now.

Why are people still referencing Hoglund?

2008-12-20T09:30:00.000-08:00

Okay this is relatively old news but I hadn't seen it until now. Someone in IRC linked this article on wowinsider.com by Jon Eldridge from May 19, 2008: http://www.wowinsider.com/2008/05/19/azeorth-security-advisor-wow-is-watching-you-part-2/

So we've got this "computer security expert", and alright, I'll bite, maybe he is some sort of computer security geek... but he's definitely no reverse engineer. He goes on to explain with some degree of accuracy, 2 of the scans that Warden had before early 2007. Notice the emphasis on had. What isn't accurate is this:

It reads the text in the title bar of every window you have open including that really embarrassing Furry fan site you don't want your friends to know about. Yes Nekudotayim, Bliz knows about your pr0nz.!

I went over that in detail in the first On Warden blog post, here: http://onwarden.blogspot.com/2007/07/privacy-and-you.html. Blizzard doesn't know about your Furry fan site porn. Sure, Warden went through the titles of each window, and compared the title to a hash. But all it would do with that information is send back a yes or no. There was no sending back the titles of all the windows. Eldridge seemed to imply that the titles would be hashed and sent to Blizzard in order to compare to a database. Nope. Partial credit. Even if that was what happened, that doesn't give away your Furry porn. The hash is one way, there would be no way to recover the original title in order to determine if it was, in fact, Furry porn (Eldridge is apparently also not in the cryptography school of computer security expertise). Blizzard sent a hash to compare window title hashes to, not the other way around.

But that's not the worst misinformation of the article. This is:

The second act of the Warden Power Tour is to sniff out and hash every single process running on your computer and compare them to the list of banning hashes. So while you are playing WoW, Blizzard takes complete stock of every program, every window, every website and every process on your machine and compares it to a list you will never see... every 15 seconds. Contrary to many fanboy and armchair security expert flames Blizzard does indeed know about your surfing habits while you are playing WoW and a whole lot more. The issue is not what they know but what they choose to audit and act upon via their secret list.

Speaking of armchair security expert flames, Mr. Eldridge... Blizzard does not know about your surfing habits "and a whole lot more." Even if they were hashing all of the processes and sending them back, once again they could not recover the original executable name (oh, did I say executable name? yeah, you forgot to). They could only compare it to a list of known hashes, so they would have to take a huge number of guesses before coming up with the right one in order to determine what obscure programs you are running. But this doesn't even translate to "every web site", even if they were grabbing every window title and every process executable name. I don't know about you, but I use a browser that supports tabs. Only the focused tab changes the title of the top level window. But, once again, the process list scan hasn't been used since early 2007, and they sent the hashes to your PC to check, not sending a list of hashes to their servers.

Then Mr. Eldridge goes on to recommend Governor for anyone who'd like to "watch the Warden sniff around". If only that's what Governor actually did. (and again, I've gone over this before) Even when it was created, Governor only intercepted API calls from roughly half of Warden's scans. But it never showed what would actually get transmitted back to Blizzard. Governor hooks a small set of windows API functions such as GetWindowTextA and CharUpperBuffA. GetWindowTextA is used to get the title of a window, and CharUpperBuffA converts some text to upper case, for use in generating a hash. CharUpperBuffA was used for both the window title, and process executable names. But using these API doesn't mean that's what Blizzard is seeing, just what's happening on your PC. It's really quite mundane, and in fact, what Governor would see now is even more limited.

What's interesting is that people are still going back to something posted in 2005 by a guy who gave up on protecting WoW!Sharp because he didn't have the expertise to handle Warden (that'd be Hoglund), but there are people such as myself who actually know what they're talking about when it comes to Warden and I don't get so much as a question from people like Jon Eldridge. Instead, Eldridge has placed himself squarely in the FUD. Maybe he bought Hoglund's book!

Updates and a slight correction

2008-11-18T09:19:00.000-08:00

The last post, about WoW 2.4.2 bans, had a mis-statement that is causing some confusion. It says that the bans "hit Inner Space." What it should have said more specifically was that the bans hit ISXWarden and/or ISXWoW users. Inner Space "vanilla" is not something that Warden is actively seeking out and banning for, and this is clearly evidenced by the people (including me) who have been using Inner Space without ISXWarden or ISXWoW for some number of months now. On the flipside, I'm told by people who used ISXWoW without ISXWarden that they were banned within 20 minutes, and people who used ISXWarden were of course banned in waves when detected.

ISXWarden, as many have discovered, is indefinitely shelved, on advice from legal counsel. Without implying anything that I didn't say before, it will be back in the future if conditions allow (or, as previously stated, "as soon as possible"). I can't explain any further at this time, nor can I guarantee that conditions will allow. ISXWarden never was a Lavish Software product -- it is something that I provided personally, for free, and was never advertised or marketed by Lavish Software. And it is not guaranteed by or paid for with a Lavish Software subscription.

On a related note, Inner Space is now enjoying renewed attention from multi-boxers. The excise of ISXWarden has given multi-boxers using Inner Space a sense of safety (ironic?), as they feel less likely to be banned alongside botters. Blizzard could differentiate between the two by detecting ISXWarden or ISXWoW (which they were doing), but this should fix the long-shot case where they might feel the need to ban all Inner Space users. Now the vast majority of people using Inner Space with WoW are sure to be "clean", so there is no reason for that to happen. Blizzard does not take banning lightly, and as multi-boxing is explicitly allowed, they are very unlikely to ban a bunch of multi-boxers who are doing something that shouldn't be considered any different than using other multi-boxing solutions. It's not their prerogative to create problems for good customers -- that would be bad business, and Blizzard is not a bad business.

To that end, multi-boxers are now taking advantage of a number of features they didn't previously have access to from other solutions. Instant picture-in-picture is a big hit. Many are now finding new uses for their G15 or G11 keys, X-keys, or other alternative input devices. Having precise mouse multiplexing (on the same PC or otherwise) is also very beneficial. And to Blizzard's credit, zero Inner Space multi-boxers have been banned, including myself -- my accounts are in my real name, with my real address and phone number, and I pay for my accounts with my own credit cards, so there's nothing stopping them from banning me if they see something wrong with my 5-boxing with Inner Space.

May 20th ban wave: WoW 2.4.2

2008-05-20T18:14:00.000-07:00

Alright it's no secret that there was a pretty big ban wave in World of Warcraft today, apparently hitting Inner Space, Glider, and unapproved addons, among other things (note: I don't know if they hit unapproved addons, or other things, I'm going off of secondhand information from sources that may not be accurate). Hats off to Blizzard for pulling off the Inner Space and Glider detections without tipping off the communities. It's been a while since the last time that happened.

So to that end, I first need to address the people who are wondering how it happened. ISXWarden and Glider's Tripwire both attempt to identify when a new Warden is distributed with new functionality. So why did neither prevent this ban wave? Simple. Warden was not updated. The detection method was hidden away in the 2.4.2 WoW client itself.

But it's not always that simple for Blizzard to get away with. First, Blizzard has no guarantee that the detection code will slip past researchers. The last time this was attempted, according to my logs, was WoW 2.1.0, released on May 22, 2007. I prevented that from affecting ISXWarden or Glider. This one (2.4.2) happened to slip past -- a mistake that is hopefully never repeated, but errare humanum est. Secondly, Blizzard can only update the WoW client every so often. In the last year, it's been about 1 patch per month on average. And, patches are never secret. Unlike Warden, which can be updated at any time while you play the game, client patches are announced to the public, and everyone is well aware when it happens. So it's no big mystery when to go hunting for new detections in the client, this is something researchers need to do every patch.

Now to address the people asking for details on what was detected. Sorry, but I can't provide that sort of detail at this time. I do not typically reveal that sort of information to the public.

What I can tell you is that today's new release of ISXWarden addresses the problem. I'm well aware that there are people who believe that, and people who don't, and if you're not sure which side of that line you're on, the safest option is always to not use programs that Blizzard will ban your account if they find out. Many people choose not to use those sorts of programs for a while after a patch just in case a situation like this arises.

More rambling on MDY v Blizzard

2008-03-27T19:45:00.000-07:00

Okay so after that last post I've a) got more details from the MDY v Blizzard case (note the bolded update in that post), and b) heard more comments than usual from people enjoying reading some of my personal history. So I guess I'll keep sharing.

On my chopping block today is Edward Castranova, PhD (in economics). Castranova is, no doubt, a very smart man. Relevant to the topic at hand, he has published works regarding virtual economies, including the relationship between virtual and real economies (referred to as Real Money Trade or RMT) which he does not appear to discourage (I could be wrong, I'm no expert on Castranova and haven't read all of his work, but am referring to articles such as this one linked from his wikipedia entry). Castranova provides a document titled Effects of Botting on World of Warcraft (as Exhibit 7, which can be seen via the first link in this post). If I were to stop reading at the title, I would assume that Castranova intended this document to be a general overview of botting. However, the table of contents clearly indicates the document is about Glider. I'll give the benefit of the doubt and assume that the document was not simply edited to replace generic statements about botting to contain the word Glider. But here's the thing. He's an economist, charged with drawing conclusions about the economic effects of Glider (and other bots) on Blizzard. Naturally, he's a good candidate for doing so -- having published works on virtual economies and RMT, and he's at least had experience with MMOs. However, his expertise as an economist doesn't particularly help when the document he's providing is full of assertions about gameplay that are difficult, some maybe even impossible, to back up with actual data, or simply rely on fallible logic with many other explanations, which may be more logical.

I'm quite sure that there are counterpoints to my counterpoints, but where there is no definite answer, debate arises, and I would expect nothing less. I'll just go down the list of "The Harms of Glider" from Exhibit 7, which Castranova explains in his deposition that many of these statements are not a result of any particular study, but of his personal experience and hearsay.

1. Users of Glider increase their characters' level considerably faster than human players, reducing the time spent playing the game

1. As Greg Ashe (Manager of Technical Research at Blizzard) pointed out in his deposition, the difference between Glider and a human playing the same amount of time is negligible:

Q. So other than time and multiple accounts, does it give any special advantage over another player who is actually playing the game legitimately?

A. There are scenarios, I guess, where, you know, specific profiles may give an advantage over a very new player, but that's not, you know, a very practical scenario on a moderately-experienced player.

I'll just let this point ride and not bring it up again in the rest of this post, but it is important to note that the advantage Glider is providing is T-I-M-E. Again from Ashe to back that up:

A. -- time -- player time in the game is really the variable. It's how many hours per day characters are spending in the game and whether those multiple characters are spending, you know, a few hours or a few characters are spending a ton of hours, that's, you know, the variable that's really impacting.

2. This is ambiguously worded, so I can only suppose that it is meant to refer to Blizzard's subscription revenue, because I can't imagine this being construed as harm to Blizzard in another way. I can imagine ways that this is actually better for Blizzard, however. "Less time spent playing the game" could mean less bandwidth, customer service, power, and other expenses for Blizzard.
3. The same point about reducing the time played could be attributed to strategy guides, or quest path guides. Should Blizzard block the sale of strategy guides because they decrease subscription revenue, because people spend less time playing the game?
4. The game does not stop at level 70, and as the game allows several characters per account on a given server, many players will spend additional time playing an alternate character, usually a different class, to level 70. Many players play on additional servers. If subscriptions typically ended a given amount of time after reaching level 70, a profit-minded Blizzard should have designed the game to take longer to reach level 70, but they have in fact shortened the amount of time it takes to reach 70. Therefore, it cannot be assumed that a shorter amount of time spent leveling a single character to 70 translates directly into lost revenue. This means that the $105 in supposedly direct lost revenue per Glider that was calculated in the paper is also inherently flawed, regardless of whether the time estimates to level are accurate. That's not to mention the careful use of "casual" players as the basis for amount of subscription revenue lost -- the comparison should be done against the pool of players of similar play style, and in this case, I believe that would lean heavily toward the "hardcore" players, who typically invest more time per day than 2 hours.

2. Frustration and loss of game satisfaction by average players when Glider bots gain experience points more rapidly than the average user

Wait, there's more. Here's another quote from the same text to go along with this one ("Is it" typo theirs):

From the perspective of the average player, all he knows is that there are other players who somehow have gained 20 levels while he has gained only 2 or 3. Is it difficult for another user to confirm that the players gaining levels at an accelerated pace are botting, so the average player concludes that either he must be an incompetent player or the system is balanced against him

1. These quotes flatly contradict each other. One says the average player is specifically frustrated about bots, and one says the average player is frustrated about players who gained 20 levels while he has gained only 2 or 3, with no idea that he could be blaming bots the whole time.
2. This has been true in MMOs long before World of Warcraft or any complex bots existed. I played EverQuest for years, and from the time I began playing it, as a decidedly average player, I saw people who were online in the game for much longer periods of time than I was. Lo and behold, the majority of those people leveled faster than I, and got "phatter lewt." And bots for the game were all but unheard of. I concluded that these people had more time to devote to the game than I wanted to devote to it, not that they must be cheating, even though I knew as a long-time game automation programmer (I was well known for it on local BBSes, and to drop a few game names: MajorMUD, Tele-Arena, Crossroads of the Elements. Certain crowds know these) that people could be using automation tools. I also noticed that a lot of people played for shorter periods than I did and leveled faster. But I knew that my style of play at that time did not involve simply grinding out levels -- I enjoyed social interaction, exploration, and other activities that had nothing to do with experience points or currency.
3. Essentially covered by 2, but to reiterate without personal anecdote: Different players have different play styles, and different goals. Some people play at odd hours of night, some people play for 3 days straight, some people are willing to sit around for hours and hours simply for a chance at some desirable reward. What these people have over the average player is simply the ability or willingness to spend more time playing the game. I'm sorry, but outlawing botting is not going to buy the average player time, because this problem exists without botting.
4. The system in World of Warcraft is probably always going to be balanced against the player with the least amount of time. That's not because of bots, that's how the game is designed. The player with more available time per day is going to accomplish more and gain more per day. The only time this changes is when balance is shifted away from time, by placing limits on the amount of time any player is allowed to play or, at minimum, allowed to receive rewards.

3. Frustration and loss of game satisfaction by average players when Glider bots decreases the amount of gold average players can earn during ordinary play

1. Okay, the only obvious way that I can see this argument going is competition for resources. The only way this could possibly be directly attributed to Glider or any bot in particular is for the players to be in the same place at the same time, and be competing for the same resource at the same time. First of all, one of the most obvious rules of thumb for a botter is to avoid other players as much as possible, because a lot of players, including those who bot, will report bots. So the botter is already trying to hide from the other players, and does not want to be competing for the same resources, as that puts him at greater risk. Even so, the game is designed to limit the effects of any one player on an entire area -- random spawns for mobs and resource nodes, and so on. And the guy running around mining or collecting herbs has the same chance you do of getting to it first. Kill stealing is pretty difficult with the system World of Warcraft uses for "tapping" mobs. This could be a valid argument in ye olde EverQuest, where you had to specifically kill rare spawns to get phat lewt, and they were on relatively long spawn timers, and may not be seen for days... people sit around at the same rare spawn, monopolizing it and demotivating anyone from trying to take it.
2. The amount of gold average players can earn during ordinary play is bound to decrease over time even without bots. This is all making me think... The problem here is that the game is designed such that the key factor essentially boils down to time -- and indeed Blizzard makes a lot of money by selling customers that time on a subscription basis. Someone with more available time per day will eventually (that is, over a long enough period of time) surpass players with less available time per day, all else equal (the player with more available time per day is also getting a better value for his subscription fees). All that is needed to generate in-game items or gold is time -- the time you spend achieving whatever symbolic goals are on the path to generating that precious resource, be it by looting fallen foes or by practicing tradeskills to craft items. Various in-game resources have various consumption rates (by consumption, I mean effective removal of the resource from the economy, by some game mechanic e.g. soulbound items, selling to an NPC vendor, etc), which may or may not be faster than generation rates -- some may be fast, others may forever have more than will ever be consumed. For any resource where the rate of generation is faster than the rate of consumption, the value naturally decreases in relation to other resources. Currency in this type of game is the most readily available resource -- it can typically be generated in infinite amount by spending time on various infinitely available tasks. A player can kill mobs for hours on end, generating currency and items simply by the act of killing creatures, without even breaking a virtual sweat. The items, in turn, can be converted directly to currency by visiting an NPC vendor (with some exception of items that cannot be sold), for a price that will essentially never change for any given item. So in effect, this problem exists by nature of the design of the game. Any influx of time spent in the game translates to this generation of currency, regardless of whether it is from humans or bots. The supposition I am left with is that any claim of potential subscription revenue loss due to spending less time in the game (e.g. from leveling faster as claimed in the first "Harm" statement) likely conflicts with the devaluation of currency, not to mention the continual growth of World of Warcraft, with now over 10,000,000 subscribers. This growth drives an influx of additional time spent, which devalues the readily available gold. And yet Glider, the most well-known bot for World of Warcraft, claims only about 30,000 active Glider accounts according to MDY's statement of facts.

4. Frustration and loss of game satisfaction when the in-game economy is hyper-inflated, resulting in significantly decreased buying power for normal users

1. See my #2 to previous statement. The in-game economy would be "hyper-inflated" over time without bots. I'm not sure it's a valid conclusion that because bots can cause hyper-inflation, and that the economy seems hyper-inflated, means that bots are a major, let alone the primary, cause. It's asserted repeatedly in this paper that players simply do not understand that the problem is likely bots, even though, again, these assertions have not been based on any statistically significant amount of data.
2. The primary destroyer of any MMO's economy has historically been, to my knowledge and belief, dupe exploits. Dupes allow items or currency to be duplicated at will, which may generate far more currency than average humans, hardcore players, or botters ever dream of making, at a much faster rate. A dupe that goes undetected for any period of time may severely damage the game's economy, even beyond repair.

5. Increase cost to play when average players feel they must pay real world money for in-game gold in order to play the game as intended by Blizzard

(italic emphasis theirs)
I don't even know what to say to this one, other than this has nothing to do with Glider or bots in general, and I've already made any counterpoints I would have made to this.

6. Increased cost of providing the game when Blizzard's customer service representatives must respond to hundreds of thousands of complaints about bots, and millions of complaints about in-game problems caused by bots

1. This statement claims millions of complaints about in-game problems caused by bots, while at the same time the paper says this:

To date, Blizzard has received over 300,000 complaints about botting from customers. Millions of additional complaints have been received in connection with issues of inflation, resource-hogging, farming and other issues that are likely tied directly to the existence of bots, but that players do not understand, or do not acknowledge, are connected to botting.

And this:

The more than 300,000 botting complaints that Blizzard has received does not include complaints lodged by the many current and former players whose game experience was adversely impacted by bots, but did not know the reason for their less-than-perfect gaming experience. Unfortunately, there is no way to ascertain this number, or to quantify these damages.

And this:

Do players even realize that botting is behind the distorted economy? The 300,000 user complaints evidences that many do. Given that over 10 million WoW accounts have been created, however, it is reasonable to conclude that many more do not. Players only see ridiculously high prices for items they need, and ridiculously low returns for hours of game play that would otherwise provide more than enough resources for them to enjoy the game as designed. The ultimate root of these problems -- Glider bots -- is difficult to see.

What I'm seeing is a lot of repetition and pointing out bots, or even Glider, as the "ultimate root of these problems", meanwhile acknowledging that it is difficult to see, that most players do not understand it as such, and so on. If one were to not consider the rest of the possible sources, then it would be reasonable to come to the conclusion that it's all Glider's fault. But the vast majority of the players, clearly, do not blame Glider. What else could players possibly blame the problem on? Something logical? Like players who have more time to spend playing the game than they do? Doesn't the stereotype involve people living in their parents basement with nothing better to do than play the game all day? Or during certain times of year (etc), students with time away from school that have plenty of extra time to play? And one reason for people to use these bots in the first place is to keep up with those sorts of people who can invest more of their own time, to cut out the advantage! If people are really sick of having the disadvantage in the game, they can quit their jobs and spend all day playing too.

7. Cost of resources devoted to detecting Glider bots, and the cost of ongoing programming efforts to overcome Glider's constant development and improvement of its anti-detection software

... I saw a number for this, being something like $900,000 (either per year or total), and now I've spent so much time rambling that I don't know where I saw it. So I apologize if I'm inaccurate here, but I'm going to go with that number. I don't believe that anywhere near $900,000 is devoted specifically to Glider, but I don't think that's important, and here's why. At ~$15 per month, any Glider pays up to ~$180 per year to play a single WoW account. If there are 30,000 active Gliders each with only 1 WoW account, that's ~$450,000 in subscription revenue per month for Blizzard, and ~$5,400,000 per year. Even ignoring the purchase of the account itself, the revenue from Glider users alone is likely more than enough to cover that specific cost, given that the $900k cost would presumably not exist without the $5.4m revenue.

8. Loss of game satisfaction by average players when the presence of Glider bots destroys the immersive fantasy aspect of the game, which is the essence of the product

I can only speak for myself really, but I think "Barrens chat" says enough. I can't imagine the presence of a bot here and there being any worse than reading typical in-game chat.

So basically what I'm getting out of Castranova's exhibit is:

The monetary damage amounts provided are based upon flawed assumptions, such as shorter level time = less revenue, and that the average player who uses Glider would have spent 8 months getting level 70.
He really, really wants to assert that Glider is the root of WoW's problems and great cause for concern to a player base that would not come to the same conclusion themselves, though there is no attempt to prove the any substantial connection. I can only assume the intended audience does not play World of Warcraft and is unlikely to be aware of differences between types of players, or that other likely causes of these problems exist, and would not be able to make their own logical conclusion, choosing instead to rely on information from such an expert.

Once again it's getting late and I'm getting tired, so this may not be as polished as I'd like, but hopefully I've gotten at least a few good points across to ... anyone at all. Some of my points might be just as bad as I'm saying anyone else's are, but I know there's some diamonds in the rough here ;)

Update: I just got a note that Mercury was actually the developer of one of the now-retro games I automated in the past, Crossroads of the Elements. I didn't realize that, how cool. And I've been Master of Elements on my old local BBS for probably over 10 years.

Legalese and other rambling unrelated to Warden

2008-03-21T21:28:00.000-07:00

Okay, first things first. Some blogs and websites just picked up on news about a subpoena I was served in relation to the MDY (Glider) v Blizzard case. My attorneys filed a motion to quash the subpoena, as I was given 9 days to retrieve information not related to Glider, with an overbroad scope. Blizzard opted not to pursue the information that I did not want to present them, and I of course am humbled that they did not feel the need to pour bags of money over my head and suffocate me. While their option to not respond to the motion to quash was reported as a blow to Blizzard, it would not have affected this case one way or another if they did so, and this is probably the reason for such a passive acceptance of the motion to quash.

They could still attempt to suffocate me in their cash at a later date, but I try to tread lightly and hopefully they continue to extend me this courtesy. The information they asked for would not have been relevant to the Glider case in particular, as I have never used Glider -- sorry to disappoint. I think my deposition was shortened by an hour or two because I wouldn't have been able to answer general questions about the use and function of Glider, much to the surprise of Mr. McGee, who represented Blizzard. And I appreciate his professional and respectful manner.

So I've been notified that motions were filed on both sides of the case today (or rather, yesterday, since it's now after midnight). After all of the hullabaloo with my subpoena, deposition, motions to quash, providing documents they probably already had seen from other sources, I'm reduced to a sentence in Blizzard's Statement of Facts and an exhibit (being the portion of video record from my deposition referenced in the SOF. Update: I hadn't actually seen the exhibit at the time of this post, but had assumed that it was the video record. The exhibit documents have been made available at http://gameactivist.blogspot.com/2008/03/legal-filings-from-blizzard-vs-mdy_26.html and my exhibit may apparently just be the portion of transcript from the deposition, not including any video record). But, it's now shown in court documents that I provided Mercury with information on defeating Warden, and that's bound to add fuel to random flame wars between my most vociferous customers and his customers who hate being patronized by my customers. Actually I'm kind of flattered that Blizzard decided to toss my name in the documents in the first place, considering I never got a response to sending them my resume other than the postcard that says "if we are interested you'll hear from us, please never call us or email us." It's almost like I got promoted.

All that aside, I find it hard to side with Blizzard on their arguments in this case, even ignoring my personal conflict of interest. I'm going to mention a few things, and certainly not the most important points, but not going to go into full detail, so forgive me for not wanting to go down the whole list or picking the most important points. One problem is that there are numerous assertions made that are implied or stated to be specific to Glider, when in reality, it could not be verified to actually be. Blizzard has included statements from average customers making complaints that may have been about botting in general, that specifically mention Glider instead. They mention Glider because it's the most well-known bot for WoW. Some customers purport to have identified players using Glider, that could have been using one of dozens of other bots. One in-game petition they quoted from October 2006 says "He's busily spinning around like WoW glider does." The first thing I thought of when I read that was a bug in (some?) bots using ISXWoW, (link is a forum post from October 2006 about a spinning bug in WoWBot) which does not include Glider, which caused the character to spin in circles instead of going anywhere. It's impossible for me to say one way or another whether it was indeed a Glider or someone using any other bot because the quoted text is ambiguous. Then there's a handful of others that also specifically mention Glider, but with no indication of how, or whether, the customer positively identified the bot as being Glider. It seems to me that the analytical ability of these average players could easily be called into question. These people are not experts and although I have no doubt they could have identified a botter, I'm not sure they are reputable enough for their statements with regards to Glider to be taken with anything but a grain of salt.

There's also numerous statements that imply Glider gives players the ability to do various things they would not otherwise have the ability to do, where it is simply not the case. For example, "Glider players have special advantages because they can play multiple accounts simultaneously . . ." -- people have been playing multiple accounts simultaneously in MMOs for years, long before Glider was conceived of. They do it with or without any software or hardware assistance. Some people use WinEQ 2 to help them, because it provides features to help facilitate playing multiple characters on the same computer, without being considered a cheat or hack (e.g. Picture-in-Picture, hotkeys to switch to specific sessions, and so on). Blizzard even un-banned WinEQ 2 users that it had inadvertently banned as part of an attempt to hit Inner Space users, and gave them a couple days on their WoW subscription for the inconvenience.

And then there's "Players that buy gold have an immediate and sizeable advantage over other players, because they can use that gold to buy goods, including armor, weapons, potions and other items, that make their character(s) much more powerful in the game compete at highest level." That's actually fairly ridiculous, and is not much different than having a high level friend. Replace "buy gold" with "receive gold from a high level friend" in the quote, and observe the similarity. The sole difference is that one is for money, and the other is for social currency or in exchange for something else entirely. In either case, the gold had to be acquired by roughly the same methods. One may or may not have been automated, and I would actually wager that more of the supposedly illicit currency being sold or otherwise transferred was generated by human power, or dupes or other exploits, rather than bots. I used to do it myself in EverQuest, manually farming and only using EQWatcher to provide me with an alarm to wake me up to kill a rare spawn or its placeholder every 20 minutes or so. I probably made $10,000-20,000 over a couple years just doing that in EverQuest every couple weeks to help pay the bills. And I knew a lot of people who did that, some of whom tried to hide it from guildmates. I regularly sold platinum to a guild leader, and so on. The people who play the game the most are going to have a surplus, and if they need extra cash, selling that surplus is a wonderful option, and I will stand up for that, even in the face of kids who whine and say it's unfair.

The fact of the matter is that the fun of gaming is different to different people. There is no way to write a policy on RMT (selling/buying gold, etc) that makes everyone happy. The poor kids come into the game thinking they have a level playing field with the rich kids only to find out that capitalism is still in effect, and if the rich kid wants a tradeable item he could get it without spending all of those hours grinding, by instead giving up some of his real life money to another player. This is called opportunity cost. Player A has a job making $20/hr. Player B has more time than player A to spend playing games, and acquires item X with 8 hours of work. Player A could choose to spend 8 hours making $20/hr, or spend 8 hours acquiring item X. Player B is probably willing to part with the item for less than what Player A makes in the same time interval, and player A would rather spend the equivalent of 4 hours getting the item, rather than a full 8 hours, so he pays $40. What exactly is wrong with that?

There is no way to write a policy on botting that makes everyone happy either. For a lot of people, designing automatons is more fun than the tedium of doing the repetitive work that others enjoy. I've been doing it since I was a kid, and I'm no stranger to the debate as to whether botting is cheating. I've been kicked off of local BBSs for automating their games. My crime is that I'm a sort of inventor, and being an avid gamer, I tend to explore lots of ideas relating to games, tinkering and developing new toys I can use to learn more about the games, to speed up repetitive tasks, and so on. I made tools to reverse engineer game databases, revealing the data to players for analysis so they could identify the best equipment to use for their character to do the most damage. I made tools to track the progress of other players and compare how fast they were advancing compared everyone else (you could check the top 100 list and see how much experience each character had). I made tools to automatically map and explore maze-like space games, analyzing the data to find the best spots to build my base and the most likely places to find other players' bases. I made tools for BBS operators to make changes to their game databases and provide a user experience unique to their operation. But what I did the most back then was automate those games, and help others do the same. And none of this was to harm the games or the other players -- in fact, I only started doing that automation at the time because it was the only way to keep up with the people who were already automating it. Other people never automated, but actually had the time to sit around and play the games manually, day in, day out. And some people do that to this day even in World of Warcraft. I'd like to make it clear here that a lot of people really enjoy creating or using bots, and they don't want to harm the game or other players. I would like to see an experiment with WoW with a new server where bots are explicitly allowed, and I'm certain that the people playing on it would have just as much fun, if not more fun, possibly willing to pay more to play, including owning multiple accounts (yes, people do that, but this is not a behavior exclusive to botters!). Granted, I don't think Blizzard will do this, because it would put a positive light on botters or providers of bots, and would have positive commercial impact on those providers, and I assume Blizzard wants to have neither of those things.

The funny thing about it is that there's a lot of fun to be had in messing with other people's bots. In the games I used to automate as a teenager, the bots people used were very primitive. These were text based games, so you'd enter a command to check your health, and it would spit out some text like "Health: 50 / 100". Well a lot of bots were so poorly coded that you could say in chat "Health: 1 / 100", and the bot would think it had 1 of 100 health. Typically in those days that meant hanging up the modem to terminate the connection, and the character could have been left online for several minutes and subsequently killed by random mobs or other players. Or when you entered a room and it lists mobs, the game might say "Also here: a giant rat". This could also be exploited in chat to make a bot think that something was there that really wasn't. For example, "Also here: ^Mw^Mw^Mn^Mn" could be interpreted by a bot as the name of a monster in the room, and to attack it, it might enter "attack ^Mw^Mw^Mn^Mn" -- ^M is a code for Enter in the right context, so a bot vulnerable to this exploit would enter several commands:

attack
w
w
n
n

This made the bot move to the west twice, and to the north twice. I can't even count the number of bots I made wander into towns where guards would kill them on sight, or I made them run into a room full of monsters that would just plain destroy them, and so on. And people do the same sort of stuff to bots in WoW; you can find videos on youtube of people having fun at the expense of someone else's bot. That used to be all part of the fun. Do you want to give that up? ;)

Okay, I've digressed and this post is way too long and I've spent so much time typing it that I can't think of anything else to write at this point anyway. Good night!

February Update

2008-02-04T07:31:00.000-08:00

Nothing much new to report here, but I will review the situation discussed in November, and relate a recent news article to the situation.

First things first. Blizzard has not yet changed the Warden since November, and the vulnerability described on this blog has not yet been exploited. It may never happen, but the possibility remains that a violation of privacy or something even worse could be injected with or without the company's knowledge (Blizzard would most assuredly argue against the possibility that it could happen without the company's knowledge, but as they say, where there's a will there's a way). But, they are certainly building confidence with the lack of changes for a few months. This still leaves the case open that I've brought up before, being that they may be going easy on Warden with the realization that it's only so effective while the community is keeping a watchful eye on it, and relying instead on measures that the community cannot so easily read.

Now, before I continue on to the news article, I want to stress that Warden is not a mechanism that protects Blizzard's copyright -- though they would like to make the argument against this as well (and are making this argument in MDY Industries, LLC v Blizzard). What Warden does is scan for various hacks and cheats, usage of which may cause them to take action against your account and remove access to their service (as per the EULA and Terms of Use), but does not constitute a copyright violation. The copyright is protected by their account system, which enforces that a legitimate copy of the game is being used to play on their servers (a concept proven in Blizzard v BnetD).

With that in mind, the article I want to mention, "Just say no to intrusive DRM" is about the Privacy Commissioner of Canada, Jennifer Stoddart. On January 18, 2008, Stoddart sent a public letter to the Canadian Minister of Industry "with respect to possible amendments to the Copyright Act." One of the fears specifically mentioned is essentially the same thing I mentioned here in November:

"Even if users do find out (and object), they wouldn't be able to strip the DRM or circumvent it because Prentice's bill will reportedly contain US-style anti-circumvention provisions."

What they're saying boils down to this: If Blizzard is somehow successful in court making the argument that Warden is copyright protection technology protected by the DMCA, then not only would I be criminalized as a Warden researcher providing anti-Warden technology, but the privacy rights of World of Warcraft players would be exploitable. In terms that the average MMO player should recognize, this could turn the tables from players using leet sploits to gain an in-game advantage, to the publisher using leet sploits to again a real life advantage, and this would be far more dangerous. Regardless of whether Warden itself is protected by the DMCA, the Privacy Commissioner is trying to prevent this sort of thing from happening by making sure protection of privacy trumps protection of Digital Rights Management.

So I will reiterate my earlier statements that transparency in Warden technology should be kept, so that privacy can be legitimately ensured by researchers like myself and the others that keep tabs on Warden. I'll also say one more time that Warden is not copyright protection technology, and it would be very detrimental should Blizzard prevail on that argument, and I'm afraid of the scope of the damage that would be done to the general software industry as a result.

But, like I said before, I don't necessarily think it's Blizzard we need to be afraid of. This type of thing could open the doors, just for example, for a nefarious organization to pose as a legitimate MMORPG provider and even create and maintain a real game, as a front for spyware that they could protect under the DMCA, for completely unrelated purposes. I'm not one to support conspiracy theories in general, but I believe that day is coming whether any of us like it or not. Why? Because it would work, because organizations have been doing it in other industries for years, because it could be immensely profitable, because many players will call the mere mention of the idea bullshit and voice support for the currently hypothetical organization... it's only a matter of time.

In plain English

2007-11-15T18:10:00.001-08:00

The post "A storm is brewing" was technical in nature, and was not particularly intended for the audiences it actually received, and as such, a lot of readers did not understand the items at issue.

I'll attempt to make clear and concise statements to help clear things up, and point to the real issues.

Warden is a piece of software that Blizzard Entertainment uses to help protect World of Warcraft (WoW) from a world of cheaters and other perceived enemies, since its inception in a patch of the game on July 12, 2005.
I am regarded as one of the most knowledgeable individuals outside of Blizzard Entertainment on the topic of Warden, and have first-hand knowledge of Warden through reverse engineering nearly every minute detail of the software since its inception.
Warden as a whole is composed of three basic pieces: a piece on servers run by Blizzard, a piece in the World of Warcraft client that remains there until patched with the rest of the game, and a piece sent during the WoW login process that can also be replaced any time afterward
The piece sent during the WoW login process is the piece generally spoken of as simply Warden (and this is the piece I will refer to as Warden hereafter)
Warden is polymorphic. What this means is that they generally create one set of functionality, and create hundreds of non-identical copies (which I will refer to as permutations) of it that produce the same end result. The reason for being polymorphic is to make Warden marginally harder to circumvent, and harder to detect when Warden has been updated with new functionality.
There is typically about 318 permutations of Warden in distribution at any given time, according to our tracking information. This may be different as of the last few days, as at present time, Blizzard is only rotating a single permutation into the wild every few hours. Bear in mind that can change at any time, and may go back to 318, or could literally be any other number bound only by Blizzard's computational power to produce them (without implying any such intent, WoW provides them with a lot of money, if they wanted to this could be a much bigger number than 318).
Warden currently has roughly a dozen scans available to it. Each scan searches for one type of thing, typically being informed of a specific thing of that type to scan for upon request by the server. For example, one scan that was previously used is a scan that could find a window open on your computer, and that scan would be told to run and look for a window titled "My cheat program" (not really that specifically, but for an easy to understand example).
Scan responses typically involve simply a YES or NO answer, for example a NO that it did not find a window titled "My cheat program". Other scan responses do involve bits of memory directly retrieved from the World of Warcraft process, usually not encrypted.
Warden performs a set of scans at random every 15 seconds during World of Warcraft play, per instructions from the game server. The scans are run, and the results sent back to Blizzard.
Warden is effectively useless the vast majority of the time. The process generally works by making the assumption that for some period of time after a Warden update (meaning one specific set of functionality consisting of any number of permutations, not an individual permutation), the scanning capabilities of Warden is unknown to the cheater, and furthermore that the time of the update is unknown to the cheater. During that period, any cheater unwise to the update is vulnerable. However, once it becomes known that Warden has been updated, and how to defeat it, cheaters are no longer vulnerable. Subsequently, during that period, Blizzard is the only entity that "knows" there is no concern for privacy, and customers are required to trust that.
Warden updates have been tracked without Blizzard's assistance since early 2006. As such, any who cared to listen were notified of the update at the time of the update.
On Tuesday, November 13, 2007, Warden was updated to include a new cryptographic (crypto for short) layer, presumably used to prevent man-in-the-middle attacks over network (something done by those who emulate the WoW network traffic in order to automate game play without running the World of Warcraft client software). The cryptographic layer works for that purpose solely because the algorithm is generated, presumably at random, per permutation, and is embedded into Warden. Warden itself is not encrypted as part of this layer.
Prior to the new crypto layer's implementation, all permutations of Warden could be vetted by security researchers in one fell swoop, effectively verifying that all permutations of Warden did, in fact, contain the same functionality.
Ironically, the world of cheaters are the ones tasked with making sure Warden is lawful, and notifying the rest of the World of Warcraft community when something isn't quite right. Consequently, the World of Warcraft community generally responds in favor of Blizzard, regardless of potential infringements of their rights, because they believe that Warden is becoming more effective by whatever is added to it.
Before item #16 is read, I will reiterate that Blizzard has not, in my opinion and to the extent of my knowledge, broken laws with Warden's use in World of Warcraft. Nor do I believe they would knowingly and willingly do so.
The new crypto layer's implementation creates a sort of vulnerability in the system, affecting users of the system, but of no concern to the creators of the system. Specifically, as this algorithm is produced at random per permutation with only the requirement that the server also be aware of the algorithm, it must be assumed that every permutation has a different implementation of the algorithm, and it doesn't make a bit of difference what the algorithm is. In the few copies I have reviewed, it is in fact a cryptographic hash algorithm, and the result is then used to re-key the encryption after sending a hashed copy of the key for verification by the server (the algorithm accepts random data from the server, and produces data that can only be predicted and verified by the server, without manually reverse engineering the permutation of Warden). The real problem is that this implementation can be exploited by Blizzard or an employee of Blizzard, at their sole discretion, with surgical precision if they so choose, to bypass any protective measures taken on behalf of the customer, and retrieve anything they may not be entitled to, even installing malware. There is essentially nothing stopping Blizzard from producing 100,000 permutations of Warden, slipping something unlawful into a single permutation, and slipping right through any network of researchers watching for just that.
Typically this sort of thing is not an issue, as programs consumers purposefully come in contact with are not polymorphic, and it can be generally assumed that every copy of Windows Media Player 10, for example, is identical to the others. Security professionals can take their time in tearing it apart and letting people know if there is something to be afraid of. Warden, however, typically comes in hundreds of flavors, and the software routines are downloaded and executed in real time, and customers must not observe the behavior of those routines, as required by the game's End User License Agreement. This means that the customer is prohibited from viewing what Warden is doing, even if they have the knowledge to do so.
While, again, I do not believe that Blizzard will knowingly and willingly break any laws, I do believe that the customer has the right to reverse engineer the software, if for no other reason than to verify that it does not violate privacy, install malware, and so on. Blind trust is a very good way to get taken advantage of, and you never know until it's too late.
I regret that Blizzard is taking fire in a direct fashion for this, as I do not wish to make this specifically about Blizzard (although yes, I did call on Blizzard to promote transparency in their detection methodology, the issue as a whole goes well beyond Blizzard). I am not attempting to "fearmonger", nor do I see it as a positive thing that the original article was misinterpreted. I am also not raising this issue due to any implied difficulty in continuing to provide software that can hide anything from Warden (if you must know, my solution is waiting until I have solved this vulnerability for those that my software protects, and that solution will be available soon, but cannot address the greater issue).
The issue that happens to affect Blizzard today, is likely to affect more corporations in the future, unless it can be legally curbed. It's a slippery slope, and although they may not be doing something wrong today in the opinions of many, Blizzard or similar corporations may continue dangerously down that slope and eventually the many may change their minds and become interested. With an End User License Agreement and Terms of Use that expressly prohibit research into their tactics, polymorphic code to help hide them, and now random functionality that makes it much more difficult to white list all of Warden (if you ask me what scans Warden has now, I can't tell you for certain), one must wonder exactly how far companies like this will go. Such tactics are usually reserved for malware to hide from anti-virus software! How much of our rights to know what information our own computers are sending out into the world do we have to give up, just to use software? What is stopping other companies from doing the same thing? Why would we trust other companies in the same situation Blizzard is in? In a world where corruption issues routinely make front page news, people need to realize that there are reasons new laws get made. We need to protect our rights as consumers, not blindly accept whatever agreement is thrown at us. Just because the EULA says something is prohibited does not mean they have the right to prohibit it.
Besides, Warden effectively does little to solve the problem it intends to solve! Granted, Blizzard is able to ban some accounts from time to time, but they are showing that they do not need to have this software in order to ban accounts. Server-side detection mechanisms are more effective, as they cannot be subverted by client-side mechanisms, and cannot be discovered by reverse engineering the game client. Instead, server-side mechanisms would attempt to enforce humans playing the game, rather than bots, or attempt to enforce game mechanics where the player may modify them (e.g. by making himself move exceptionally fast). In this fashion, there is no inherent danger to anything on your PC, and quite frankly, if a cheater does not appear to be cheating to the other players, then clearly no harm is done to the game. But again, quite frankly, Warden does not greatly reduce the number of cheaters or botters, trust me they're still here, and in far greater numbers than when Warden was first implemented in World of Warcraft in July 2005. It does not reduce the real-money trade for in-game valuables, that's still here too, and likely in far greater numbers as well (though I don't have the data to back that up, I believe it is a growing industry) -- Server-side mechanisms are, however, at least somewhat effective there. If Warden is good at anything, it's simply delaying cheaters and botters by making them wait for protection, or it's good at putting money in Blizzard's (and Vivendi Games') pocket, because the majority of the accounts they ban end up coming right back and buying a brand new copy of the game, just to continue the cat and mouse game.
Very nearly (if not exactly) the same level of effectiveness that Blizzard is sincerely offered by Warden can be gained without producing polymorphic code at all. Furthermore, removal of the polymorphic code would allow security researchers to ensure that customer data is safe, without blindly trusting Blizzard, to a much higher degree.
I wish to reiterate that it's not my own data I'm concerned about. If this were about any implied difficulty in protecting myself from the system, I wouldn't even bother to blog about it. The problem is that I can no longer ensure the safety of other World of Warcraft players, including my own family, and I believe it is important for someone to do that. And again, not just for World of Warcraft, but for any software that seeks to use cryptic or secret methods to do their bidding.

I hope I have made it clear that I do not have an inherent mistrust of Blizzard as a whole, but while we can share the belief that Blizzard means well, Warden is not stopping people from cheating or botting, and there are precedents to be set here. We can't lay down and give up our rights, or our expectation and even verification of privacy, to companies just to use their software.

I apologize for not having links to back up various statements, such as #21, but with any amount of research, you can verify that the cheating and botting communities have not left the game, and with some 9 million subscribers, I don't think anyone will find otherwise.

Update: Just a few excerpts from F-Secure's Malware Code Glossary that show potential relationships between this type of software (Warden), and what companies like F-Secure aim to protect you from. This is not an indication that I believe Warden itself is clearly any of these things, but definitely is very close to the line if not, and again, this is not just about Blizzard and Warden, but about all current and future companies doing similar things.

Polymorphic Virus A Polymorphic Virus is a virus which changes itself (mutates) as it passes through host files, making disinfection a serious challenge. Rootkit
Rootkits are a technique that allows malware to hide from computer operating systems and from computer users. Rootkit techniques create stealth programs that run at a "lower" level than the user can see with normal software utilities. Malware attempts to use this method to avoid detection by security software. Spyware Spyware is software that performs actions such as creating unsolicited pop-ups, hijacks home/search pages, or redirects browsing results. The term Spyware has been used in two ways: In its narrow sense, Spyware is a term for Tracking Software deployed without adequate notice, consent, or control for the user. In its broader sense, Spyware is used as a synonym for Spyware (narrow) and Other Potentially Unwanted Technologies. Trojan A Trojan or Trojan [Horse] is a software application with hidden destructive functionality. It is a program that appears to do one thing but actually does another.

A storm is brewing

2007-11-14T10:37:00.000-08:00

Important note: A lot of people are misinterpreting this post because the details are largely technical. Please see the follow-up post "In plain English", as I believe I have covered most if not all of the points people are attempting to make after reading this article.

Coinciding with the most recent World of Warcraft patch (Tuesday, November 13, 2007), Blizzard has begun a more aggressive campaign with Warden. The changes to Warden effectively remove our ability as a community to police Blizzard's activities, and may lead to undetected violations of personal privacy, among other possibilities. I have until now publicly defended Blizzard's actions, which were already under public scrutiny, partly because of Greg Hoglund and his crusades (which I have never agreed with). I do not believe that Blizzard would ever intentionally break privacy laws (or any laws for that matter), at least in any manner that can be traced. However, as we all realize, there are gray areas, which Blizzard is no stranger to (I would consider Warden itself to be in that gray area, which does not seem to be illegal, but that many people would feel is a violation of their rights, and could potentially be deemed illegal in the future), and I do believe that Blizzard would enter those areas until legally bound to leave them (i.e. when the area is no longer gray, and consequences would follow).

I cannot condone or agree with the changes to Warden, and I fear they may be overstepping their bounds. The problem is that Warden has long been a polymorphic program, typically a concept used for viruses, spyware, and other sorts of things that an attacker may wish to hide (see the linked page from the words "polymorphic program", and take note of the described usages). In Blizzard's case, they intend to hide functionality of Warden from what they perceive as attackers, for the obvious reason of catching said attacker without him being tipped off as to how. Clearly, if said attacker knows how, he would attempt to avoid being caught. In itself, this polymorphism is not entirely destructive.

Historically, the polymorphic code produced essentially the same predictable results in the end, and Blizzard's Warden-related activity was kept in check by software like ISXWarden, and to some extent by Glider's Tripwire (at least in the ability to track how often and in what numbers a new Warden was produced, I'm unaware of any additional capabilities Tripwire may have). Unfortunately, Warden now includes a different random cryptographic hash function in every copy, apparently used for cryptographic key exchange, at least in the copies I have reviewed. However, it is nearly impossible to enforce that. The hash function could be replaced with a function that retrieves information from your computer at random (or even precisely defined information, including credit card numbers, or literally anything else) and sends it back to Blizzard, and to electronic enforcement systems, this would be nearly impossible to predict or report.

I formed my opinions of Blizzard's activities and stood on their side of the line on privacy violation arguments, solely because I have been able to automatically keep track of exactly what Warden was doing, how it was doing it, and what information was sent back to Blizzard, regardless of the number of permutations of their polymorphic software. This effectively resulted in checks and balances, much in the way government bodies separate their powers which I believe, in the end, are supposed to preserve the rights of the people in cases of corruption and such. Now, information suggests that Blizzard has begun continually producing replacement copies of Warden -- previously, roughly 318 permutations of Warden existed per patch (according to information from ISXWarden users, as can currently be viewed on the WardenNet stats page), and would be used on a rotating basis. To reiterate what I implied above, all 318 of those permutations could be vetted by software (including ISXWarden), and the behavior of each one could be verified to be identical. Therefore, anything that Blizzard would try to slip into their software was kept in check, and they would not have been able to introduce any significant privacy violations without alerting their customer base. That's actually a very good thing to have on their side.

However, this change to Warden is not a very good thing to have on their side. Given the fact that the randomly generated hash algorithm can be replaced at Blizzard's sole discretion with any other algorithm, including ones that retrieve and use personal, private and/or otherwise confidential information, with only their server to be required to know about the changes, this should be considered a very scary thing for the rest of us. Blizzard, I agree with you wanting to protect your game, I agree with most of the functionality you have placed in Warden, but you're losing a supporter who has conflicts of interest with your policies and still agreed with them, and that would have made a strong argument for your side.

Blizzard, I strongly urge you to promote transparency in your policing efforts. The public cannot be expected to trust a corporation that is hiding information from its own customers. You are governing several million people across the globe, and even though you do not like some of them, you should not attempt to hide your software or the functionality of your software on your customers' personal computers. There is absolutely no excuse for doing so, and I do believe that this is now, without a doubt in my mind, an ethical issue.

Digg it

Update:
I wish to clarify a few things, as this post has been read, mis-read, partially ignored, and so on.
There is no issue with Blizzard using a hashing algorithm, or encrypting data. There is no issue with Blizzard attempting to detect its perceived attackers. There is no issue with a key exchange in the detection software. It's not even about any implied difficulty by said attackers to sidestep the new functionality, which at face value, is not a difficult task. The issue is that the hash algorithm can be replaced with any algorithm. The issue is that the hash algorithm is different in every copy of Warden, so there's no simple method of ensuring that every copy of Warden is simply using a hash algorithm, and furthermore that it is one-way. The issue is that the detection software may be exploited, by Blizzard or an employee of Blizzard, with or without the corporation's knowledge, in order to do anything they please on your PC. A resourceful Blizzard employee could, for example, install a virus or other malware on your PC, and have a pretty high chance of that going undetected by the customer. This example may seem extreme, but bear in mind that all customers are required by Blizzard to blindly accept whatever Warden is doing on your PC. By discouraging independent analysis of their tools, Blizzard seems to have something to hide. While I will reiterate (from the first paragraph of the post) that I don't believe that Blizzard would knowingly and willingly break any law, I do strongly believe that Blizzard has a responsibility to show its millions of customers that it is taking these actions in good faith.

Finally, I believe this is an issue that affects not just Blizzard and their customers, but all present and future corporations and customers who may be attempting to hide this sort of process or information from their customers. There is a limit to what they can do, and we can't blindly expect Blizzard or any such company to follow those limitations if they are not being independently verified.

State of the Warden

2007-10-03T07:05:00.000-07:00

It's been a few months now since Warden has been updated. What's Blizzard up to exactly? And how is ISXWarden holding up lately? Here's a few short answers.

First, ISXWarden. I'm still pretty confident that the issue was solved by fixing the data corruption issue. Within a week or so of that fix, the bans and suspensions essentially stopped. It's been relatively quiet since then, with no updates needed other than for the game patches (though there were some other minor changes to ISXWarden to protect against other potential scenarios during that week or so after said fix, those do not appear significant yet). Other than that, there's not much to discuss about ISXWarden since it seems to be in good health. So until there's more problems with it, that subject is covered for now.

Now to Blizzard and their current activities. From what I'm hearing and reading on various forums, the latest ban/suspension craze is Exploitation of Economy, as well as intended exploitation, and other reasons connected to the purchase or sale of accounts or virtual goods (e.g. "Involvement in online trading activities"). A few patches ago, for example, Blizzard added a 1 hour delay when sending currency via in-game mail to other accounts (the same delay that has pretty much always been there for items). It's no secret that they have used this to their advantage in their quest to hinder the World of Warcraft gold industry. I have to commend them for this non-invasive approach, and of course no client side tools can protect against their use of risk management in blocking gold sales. Various people have reported that some of their own legitimate gold transfers (between two accounts that they own, for example, or to a guildmate) have been held for review, and later released to the destination. So cheers to Blizzard on this, a moral victory for them if nothing else.

Additionally, hardcore botters are finding that Blizzard has been keeping tabs on their activities. Bans and suspensions are apparently being handed out for being online too much of the time, presumably with other requirements on top of that, like not responding when a GM sends a message or such. Again, a non-invasive approach, and you have to respect that. Even Greg Hoglund couldn't spin that one into an invasion of privacy.

Speaking of Hoglund, I read the recent Associated Press article involving him and his associate McGraw. I don't know if it was the journalist's interpretation or what, but this really got my goat:

"One problem is that these observer programs are invasive, since they must access the underlying operating system in a player's PC in order to sniff nefarious code. McGraw believes the Warden might even violate California's anti-spyware law." - link

What the hell does "access[ing] the underlying operating system" have to do with anything? World of Warcraft has to "access the underlying operating system" just to load in the first place. Is it going to become illegal for software to open other processes? Or read files from your hard drive? Where do you draw the line exactly? It's not damaging your computer, it's not sending back any information that could be used to steal your identity, so what's the deal? Is this going to mean that anti-virus software also can't report back to base about what viruses it discovered on your system?

That's literally the same process, with only a slightly different usage of the data. Anti-virus publishers aren't going to cut you off for having contracted a virus from opening a malicious email, they would just want to know what viruses are active in the wild, much like keeping track of how many of a given animal species remain on our planet. Information received by Warden, on the other hand, is specifically for enforcing account holder policies. They find a malicious "virus" (hack or cheat, in this case) on your system, and they're going to take action against your account. Keep in mind, once again, that Warden is very much like anti-virus software. It doesn't care what web sites you have open, what goat porn you have stored on your hard drive, or anything like that. It essentially has a list of viruses, and it is looking for each one. When it finds one that it is specifically looking for, it will send back an indication that it was found, nothing more.

"Sometimes, there appears to be financial incentive for the game makers to be good — but not terrific — at stopping cheating. Consider this: Cheaters who get banned from games often immediately sign back up under a different user name, paying money for a new account in hopes of trying again. If cheating protections were significantly stronger, fewer perpetrators would continue to buy accounts." - same article

This notion is nothing new of course, and people have been saying it ever since they started getting banned and buying new accounts. The point made in the article is that Blizzard has financial incentives to make sure cheating continues to occur, and periodically purging it. But here's some food for thought: Is it extortion? Is Blizzard merely slapping people with commercial interest in having accounts with a wet noodle, only to absorb the money made from the account key and subscription fees, knowing that the process is just going to repeat? Are these people essentially paying Blizzard protection money? "Hey, you haven't paid your protection recently, so I'm banning your accounts and keeping the money." Unlike information gleaned from Warden, Blizzard has financial incentives, likely lawful, to bully certain types of people and reap the benefits. One key point in Blizzard's favor is that these people don't have to keep coming back. They can leave any time, and not worry about paying another dime to Blizzard... unless of course, Blizzard then decides to sue them for some reason or another after they give up, which it would then have the financial incentive to do, since the perpetrators are no longer paying protection! Scary thought, that. I may be giving them too many ideas. Maybe these companies should be paying me protection to not give Blizzard these ideas, I'm mostly broke and Blizzard doesn't need the extra money (neither does Vivendi), what with over a billion dollars a year in revenue from World of Warcraft alone. I'm kidding about paying me guys, but you can if you want. But the point is, is this video game extortion?

This brings me to something else that could be interesting. What if, in order to reduce or remove the financial incentives, Blizzard took action that did not involve cutting off the account? Clearly, banning accounts is not going to stop the virtual market. Ban one, and it gets replaced. Those companies run through accounts like crazy. Sure, it puts some out of business, but has anything changed in the years that Warden has been in use? Absolutely not, other than prices going down. There's still hordes (pun intended) of bots, gold farmers, you name it. Probably far more now than there originally were.

All Blizzard is managing to do is keep the status quo, reducing the effects these activities have on the game's economy. The main draw may actually be that these banned accounts take items and gold out of circulation, keeping the in game prices relatively high. The gold would still exist -- much of the gold sales are not from bots or farmers, but from average players selling the extra that they have and don't have anything to do with. Hell, I did that in EverQuest. Eventually I was paying my rent by farming Wyrmslayers, Idols of the Thorned or Frostbringers (that should tip EQers off as to when this was), not exactly a major enterprise, but just enough that I was self sufficient. Is that really a problem? Is it the guy who takes some time off from real life to play video games or supplement their other income that they are after? Unfortunately, it's the average players that the current processes are harming, not the bots or farmers (keep reading).

Recent lawsuits (and Hubert Thieblot of Curse according to that article) allege that the practice of selling virtual currency for real money hurts the average player's ability to play the game, because people farming for this purpose will leave nothing in their wake for other players to fight or loot. Have you even played the game? Do you have any idea what casual players have to do to get gold? Anyone who wants to get gold, for any reason, say they want to purchase a tradeable item that would otherwise require a full raid party to get. This person is not like you, he doesn't care about hardcore endgame raiding, he enjoys playing with a small group of friends or family. How is he supposed to get gold, if it's not by finding what he deems to be the best repeatable way to get gold, and repeating it? There's no difference in having to make 1000 gold to sell in the real world, from having to make 1000 gold to buy something in the game. These people are doing the same thing. They're going to exhaust the resources that they find to be good. Your friend who is supposedly farming gold to buy that new mount? How do you know he's not selling gold on the side and using the mount as a front? Does that make him a cheater if he is? Should he be working a second job instead of playing the game at all? There's a whole lot of goodness in making money while having fun.

My father in law has no idea how he's supposed to get 5000 gold for some silly flying thing. And even then, if he got 5000 gold, what if he was told that he could, instead of spending it on a silly flying thing, he could get a few hundred dollars that he could put toward paying off his debts? If it weren't for fear of getting banned for something so menial, he could probably already have paid off his debts. Or what if he wanted to buy a nice gift for someone, but couldn't quite afford it? Is it really killing the game experience?

But here's the real point. It's the average person who just wants a few extra dollars that is taking the real hit. The companies that do this on a massive scale are still doing it on a massive scale, just maybe with a small bite out of their side. But the player who needed a few extra dollars, and had some extra gold, he's the one getting hurt. He's the one that feels the loss of his level 70 Hunter. The player who works 2 jobs and doesn't have time to grind out 20 levels to play with his friends who have no jobs and live in their parents basement, but has a few extra dollars and wants to pay someone to level him, he's the one getting hurt. The player who works too much and just wants that new item without farming for days or dealing with guild politics and raids, he's the one getting hurt.

Granted, it's not for everyone. If you think it's wrong to buy or sell gold, then, well, don't. But don't ruin it for everyone else, and quit your damn whining if someone has more money than you in real life so they want to buy something to get ahead in the game. Guess what, they do it in real life too, they buy things like jets, and they land them at NASA. Let's make having money illegal, so that rich people don't try to buy things. Clearly, it is better for them to hand-make their jet after getting all of the raw materials, and they have to know how to make each individual part, and .... wait, did you build your own car? So you have something that the kid on his bike doesn't have? You bought it with money?

Alright, I got off topic. But what I was heading toward is this. It would be interesting to see alternative forms of punishment. Instead of banning the account (and I'm strictly speaking of things like online trading, exploitation of economy, etc; not hacks or bots), what if they just made it more difficult for that account? Abilities could be less effective, or characters on the account move slower, restrict the amount of gold that it can transfer in a given period of time, and so on. Each offense could further restrict the account, reducing the likelihood that the practice will continue. After some period of good behavior, restrictions could even be lifted, essentially putting the account back into play. This could allow the casual player to partake in activities shunned by others, still at some potential cost, and the restrictions could inflict essentially the same pain on the presumed real target, the companies doing these things on a large scale. Done right, this could remove the perception that the game publisher prefers the activities continue in order to make more money. Of course, it might not be a good idea in the end and it may never be attempted, but I must repeat that it would be interesting to see. Maybe we'll find out the day I produce an MMO. :)

ISXWarden woes

2007-08-15T16:46:00.000-07:00

I believe I've finally found the bug in ISXWarden causing the recent Inner Space bans.

There was a possibility of data being sent back to Blizzard that would appear to be corruption of Warden scan results, in rare (but predictable) cases. This bug would cause results consistent with the reported bans and test cases provided by users (e.g. Tenshi). I do not yet have confirmation that this was the culprit, but that should come sometime before next Tuesday, if this is it. I'm pretty sure that's the one, but until I get the confirmation, pretty sure is the best I can give.

Since at least one person asked me if they can put "face -fast" back in, I will reiterate an older point. Client-side protections are great, but they will only take you so far -- you have to go the last mile yourself by making sure your bot is as human as possible. When I was your age, we dialed up to local BBSs and played games through text -- there was no such thing as client-side detection. If scripting (or "botting" or "macroing" if you prefer) was not allowed, looking as human as possible was the only available protection. Just because client-side detection exists now, does not mean you should give up your front line of defense just because the rear is covered! So no, my recommendations on that stand. Look as human as possible. High speed high precision is not particularly human-like.

Heuristics and your one unbanned account

2007-08-03T14:27:00.000-07:00

Preface
I don't want to give the wrong impression to people using ISXWarden, so I actually don't want to post this, after having spent an hour or two writing it. But, I mentioned it in IRC and some people want to read what I have to say. So here it is. Before reading on, be aware that client-side detections are not the main focus of the article. That does not mean that I'm not working on potential client-side detections, and this article does also not mean to imply that I believe a significant number of the most recent non-Exploitation of Economy bans are a result of server-side detections. It's about mitigating your risks, and why just because you got lucky enough that one of your accounts was not banned, does not mean that you can go about assuming this or that about what Blizzard does. Without further ado...

The Article..
I guess it's about time I try to explain something to the masses. The masses, in this case, being people wondering why some people get banned and others don't, even under very similar conditions.

I'll get the first part out of the way. This article is not particularly about Warden, but I will cover it anyway. Every 15 seconds as you play, Warden is essentially dealt a hand of several cards out of a deck of cards. It reads each card, writes something on the back, and returns the hand to the dealer. The dealer reads the back of the card, wipes it clean, and shuffles the cards back into the deck. This process is repeated ad infinitum. Notice the bold text. Because the cards are shuffled back into the deck, rather than removed, there is no absolute guarantee that in a playing session, Warden will receive each and every one of the cards. Likely, yes, but not guaranteed (if you need help with this one, talk to someone who is good with statistics and probability).

There's point number one. The point to go along with this one is that not all Warden scans are definitive. Take for example the known false positive debacles: Cedega users were banned in November(?) 2006, and WinEQ 2 users were banned in July 2007. Neither application is harmful to the game, and the bans were quickly reversed -- I'm not sure if Cedega users got added time on their WoW subscription, but WinEQ 2 users got 2 days added. I don't specifically recall anymore what scan hit Cedega, but I've got the information laying around somewhere. But, in the case of WinEQ 2, Warden has been scanning for d3dx9_30.dll. This DLL is distributed with DirectX 9 updates as of April 2006, and there are newer versions as well -- d3dx9_31.dll, and so on. Microsoft provides them to help Direct3D developers with common features. WinEQ 2 and Inner Space both use d3dx9 to display text with standard Windows fonts in 3D. So, how do they tell the difference?

Obviously, depending on the scan (but certainly the case for the Cedega and WinEQ 2 situations), they must use other factors to determine if what they are seeing is something [perceived as] harmful to the game or not. Additionally, said other factors must also be inconclusive on their own. I shouldn't even have to mention this, but the reason that the other factors must be inconclusive on their own is because if they were conclusive, you would already be banned. In other words, if Warden is detecting a memory modification that allows you to climb mountains you would otherwise be unable to climb, they have no reason to do further investigation. It doesn't matter what application made the modification, there is no reason for them to determine that. They see your mountain climbing hack, and ban straight away. But back to the point. If they don't know what it is, they just have to find additional information that provides them with a good enough indication that they will ban you.

Which brings me to the next point. Let's step away from Warden and dive into risk. If you haven't seen Along Came Polly, then for the sake of this discussion I'll sum up the relevant portion. Ben Stiller plays an insurance agent, and he uses some risk analysis software that he's able to enter all sorts of crazy things into, and it comes up with information as to whether his company wants to provide insurance to someone. I'm just going based on memory here, haven't seen it in a while and I didn't see the whole thing either, but for example his rich client goes shark diving or something, and skydiving, and such. Anyway if I remember correctly, there were seriously strange and crazy things (and I don't mean things you've actually heard of people doing, like skydiving) he would enter into the system, and his program was coming up with some sort of risk numbers based on what his client wanted to do, to determine if he wanted to insure the client or not. The point is, he enters multiple pieces of information, and the system comes up with some number that indicates the degree of risk.

Before I continue, the reason I mention the following is unrelated to client-side detection bans. The reason I mention that is I have to put up with people taking everything of this nature that I say as meaning that there is no client-side detection in the recent Inner Space-related bans. There certainly was, but that does not account for the whole of the reported bans. I did say that the more recent ones were not from Warden.

So anyway, now let's assume for a moment that Blizzard is smart enough to have some systems that do not rely on client-side detection methods. We already know to a good degree of certainty that they have various server-side "detections" involving Exploitation of Economy (EoE) bans. They also reportedly have hidden walls of sorts in areas that players cannot normally traverse, that when crossed, raise some sort of flag on the crosser. So, let us assume that they are a) not stupid, and b) implementing other sorts of server-side analysis as well. Granted, many things that they could potentially detect server-side may be too CPU-intensive to use, but that's exactly the sort of challenge programmers love. And that's where heuristics come in. Heuristic algorithms find a way to solve a problem to a reasonable degree, without having to perform too many calculations for the CPU.

If Blizzard wanted to catch bots, all they would have to do is identify a few factors that can be heuristically computed to come up with a comparison between a bot and a human. If bots consistently performed a behavior in a way that humans consistently do not, they can come up with a reasonable risk factor -- a probability that the player is a bot rather than a human. One behavior is usually not a good indication and would lead to false positives. There are of course other inputs as well, such as player reports, linkage of accounts previously reprimanded for botting, playing time and how that time is spent, and so on. Combine all of these factors, and you have now prepared a list of the characters most likely to be bot-controlled. If the aggregate risk factor is high enough for a given player, they could ban without any sort of follow-up observation. If it's not, then the list then serves as a prioritized list for GMs or other employees to run down for confirmation. If you're lucky enough, they don't catch you.

As a botter, you not only want to be sure that you are protected from Warden and other client-side detection mechanisms, but you also want to be sure that you are as low on that prioritized list as possible. The same goes for EoE ban candidates. If you're on their list, then it's simply not going to be good for you.

If you're interested in keeping your accounts, then cover your bases. Don't make the assumption that they won't catch you because you don't believe they would implement server-side detections. Whether they are right now for things that affect you or not, it is almost guaranteed that they will as they look to the future. Computers are only getting faster, storage and memory capacity is only growing, bandwidth capacity is growing, and calculations that were previously too expensive are coming within reach -- either by discovering new solutions, or simply as a result of the hardware improvements. Blizzard knows that client-side detections can only go so far, and can be worked around. They have to constantly come up with new ways to detect your software on the client side. And the right people will always be able to cover their -- and your -- tracks. Anything on the server, however, cannot be reverse engineered by those right people, and cannot (usually) be spoofed by the client.

The moral of the story is this... Don't take chances. Look as human as you possibly can when you bot. It doesn't save you from client-side detections, obviously. That's not the point.

Privacy and you

2007-07-29T14:45:00.000-07:00

Ahh, Greg Hoglund and the art of deception. Ever since Warden was implemented as an anti-cheat tool for World of Warcraft on July 12, 2005 (which Hoglund "discovered" in October 2005), there have been numerous reports that it is relaying information to Blizzard that would constitute invasion of privacy. It all started with Hoglund's rootkit.com post, found here: http://www.rootkit.com/blog.php?newsid=358. In all fairness, I will point out here that Hoglund did not state in his post that the private information mentioned was actually relayed to Blizzard. However, he intentionally left that possibility open.

So, let's take this at face value. Hoglund makes a "big deal" out of the use of the GetWindowText API. This API is standard in Windows and has existed since Windows 95 and Windows NT 3.1 according to its MSDN documentation. To clarify, Hoglund references GetWindowTextA, which is an ANSI encoding-specific version of this function -- there is also GetWindowTextW, which is a Unicode version of this function. There is a similar separation with many Windows API, and with recent versions of Windows, the ANSI versions actually wrap the Unicode versions. For the uninitiated, ANSI and Unicode are methods of encoding text in sequences of numbers. (i.e. terms that computers understand) Unicode is used to support internationalization, where there are far more characters (letters, numbers, etc) in various languages than ANSI encoding was designed for. Now back to the important stuff. So GetWindowText can get the title of any open window on your PC, as well as text associated with various other user interface controls. This can be used in conjunction with EnumWindows to retrieve the title of every window. Any program can do this, and it takes no special security priveleges.

If a piece of malware wanted to relay this information somewhere in attempt to steal your personal information, it would not take a genius to do so, and the program would pass right through any virus detection software. Why? Because window titles are not generally useful. Sure, said hypothetical attacker could determine that I am posting on my blog by checking my Firefox window title ("Blogger: On Warden - Create Post - Mozilla Firefox"). Sure, they could determine I am on Internet Relay Chat. But what good is that to the attacker?

The trouble of course begins when there is something to hide. Like anyone else, I would be concerned if my personal information was being transmitted. But that's just it. The key word is transmitted. The following is highly contrived and obviously unethical today, but imagine a device that could be inserted directly into your brain, and this device had the technology to scan your brain for information. If this device was not relaying any information to anyone else, there would be very little concern for your privacy. Now let's say that it relays some information, but that it only relays information about the device's health for diagnostic purposes. The question then becomes "Is it REALLY sending out a report on its own health, or is there more to it?" Now there's a good question. Now let's say it relays information about your thoughts, but only if you are thinking about doing something illegal or unethical. The question then, in addition to wondering if that's all it's REALLY looking for, is "Is it detailing my thoughts? Or is it just saying that I am having illegal or unethical thoughts?". And finally, let's say that it relays detail on every thought you are having. There is certainly no question to be asked about that, it clearly leaves you with no privacy at all.

So what is it that I'm implying? What I'm saying is that Hoglund's either not asking the questions, or is conveniently leaving those parts out. After all, with all of the excitement over his "discoveries", his site rootkit.com went from nothing, to something (see http://www.alexa.com/data/details/traffic_details?url=http%3A%2F%2Frootkit.com for site traffic details), he has mentions from the EFF, has spoken at the Black Hat security conference, and has now published a book (and of course, the book is plugged on rootkit.com, and presumably plugs the site as well). It's clearly in his economic interest to create controversy, whether there is any or not.

I'll take the liberty to answer the questions, with specific regards to Warden reading window titles, and its now 2 year history. Warden has never relayed window titles, and does not even currently read window titles at all (has not for some months now). What it did is scan all window titles, looking for specific ones based on a hash (as Hoglund correctly described). A hash is a way to turn some sequence of numbers into another sequence of numbers, resulting in a way to identify the original sequence to some degree of accuracy without actually revealing the original sequence. Typical uses include password checks (so that your password "god" becomes a large number and the original word is never revealed), data integrity checks (e.g. to make sure a download did not become corrupted), and so on. For example, if a cheating program had a window titled "My Cheat Program", they would hash that to come up with the value to compare against. Then, for each window on your system, it would hash the title and compare the hash to the value they came up with originally. If the title matches, it stops the search and notes the information for its response transmission. If no titles match, it notes this information for its response as well. The response to the window title scan was one of exactly two numbers. One means YES, the other means NO. There is the answer. While the window title scan was active, they were looking for specific "illegal thoughts" and receiving only a YES or NO response. The same is true for the process name scan -- yes, they did that too.

The entertainment value for me comes with the implication that The Governor is somehow current and shows relevant information. While it is true that The Governor once showed information relating to about half of Warden's scanning ability, it never showed exactly what was actually relayed to Blizzard, let alone the other half of Warden's scans. If the book is intended to have complete or current information on the subject, they would clearly be interested in speaking with other parties with knowledge of Warden. For example, I have been keeping tabs on Warden, and so has Mercury of MMOGlider fame, as well as maybe a dozen other individuals around the world. From the portions I have read, the book does not so much as acknowledge the existence of any other Warden expert other than Hoglund himself, if he is to be labeled as such. But it does incorrectly state that Warden is currently scanning the title bar of every window on your computer! This seems to imply to me that Hoglund has not looked at Warden since October 2005, and is simply counting the money he has made since. It seems that his intent is to defame Blizzard in response to his World of Warcraft accounts being banned, and make some cash in the meantime. I'd say he's covered the costs, maybe it's time to stop the charade.