[WoW] New Warden crosses the line?

[mystery]

Linked off of /., this blog article goes into a pretty convincing argument for why the latest version of Warden crosses the line into rootkit spyware:

Quote:

However, this change to Warden is not a very good thing to have on their side. Given the fact that the randomly generated hash algorithm can be replaced at Blizzard's sole discretion with any other algorithm, including ones that retrieve and use personal, private and/or otherwise confidential information, with only their server to be required to know about the changes, this should be considered a very scary thing for the rest of us. Blizzard, I agree with you wanting to protect your game, I agree with most of the functionality you have placed in Warden, but you're losing a supporter who has conflicts of interest with your policies and still agreed with them, and that would have made a strong argument for your side.

[Marcus]

I've never even heard about Warden.

[stusser]

Every version of warden has crossed the line; people are just too addicted to care.

[Lum]

Disclosure the author didn't bother to make: Lax (the author) sells one of the two main botting programs used in WoW. Sliiight conflict of interest. :)

Basically, he's pissed that his Warden detector (ISXWarden) is broken now. Whether or not you agree that Warden is a rootkit is certainly debatable, but the only thing that's really changed is that it's less detectable.

(For the people going "huh", Warden is the Punkbuster-style hack detection software World of Warcraft uses to detect bot programs, which has always been controversial due to its method of operation and privacy concerns. Description: http://en.wikipedia.org/wiki/Warden_%28software%29)

[z22]

The question I pose to myself is, do I trust Blizzard enough to only use it to stop bots/cheats/hacks? Yes, I do, for two reasons. Using it nefariously would jeopardize their huge money engine. Without these scanners, the alternative, playing in a game where there are cheats, hacks and bots, would make me quit the game forever.

Having played games that were ruined by cheats/hack/bots, I support Blizzard's stance. It's just unfortunate this is what's needed to combat these slimeball cheaters.

[Alex Handy]

Quote:

Originally Posted by stusser

Every version of warden has crossed the line; people are just too addicted to care.

Absolutely agree. I watched Greg Hoglund go traipsing through Warden with IDA Pro at Black Hat a few years back. The things Warden does certainly cross the line (Monitoring all activities, processes and memory movements on host machine). But frankly, the thing that I think most when considering Warden is "Shit, that's an impressive piece of software.

If you go into memory with IDA (A debugger, for those not in the know) while WoW is running, WoW juggles memory locations and moves things around in real time to stop you from finding what you're looking for. It also encrypts most of swap and memory.

Hoglund still figured out a way to teleport and to do other fun stuff, though. Half his talk was canceled because of a cease and desist.

Compared to the server-client stuff WoW has to accomplish, I think Warden is the most complicated and difficult part to design of their whole setup.

[Gunmetal]

Warden is a rootkit? That's a very interesting application of the word

[z22]

Quote:

Originally Posted by Lum

Disclosure the author didn't bother to make: Lax (the author) sells one of the two main botting programs used in WoW. Sliiight conflict of interest. :)

Figures. Typical reply from a capitalistic predator. Not you Lum, this Lax scum. :)

[mouselock]

Y'know.. there are times when I think it'd be easier just to have untrusted platforms where users are prevented from running other things in adminspace. I wonder if it would be possible, for example, to require a virtualized OS for WoW2 (or whatever the follow-on in 5 years is) which has no trusted users and can therefore securely protect it's own memory space and such.

I suppose that would upset the same people who are getting upset here, because their computers aren't actually fully answerable to them any more, eh? It's a tough problem to solve really.

[stusser]

It's not a rootkit, but it is an invasion of privacy. I find it worrysome that people aren't upset about it. Kinda like in-game advertising.

Privacy issues aside, clientside monitoring is the wrong path because your customers have access to the client, leading to the usual arms race. They should concentrate on developing server-side mechanisms like datamining and behavior modeling. They're foolproof and ethically sound.

[mouselock]

Quote:

Originally Posted by stusser

It's not a rootkit, but it is an invasion of privacy. I find it worrysome that people aren't upset about it. Kinda like in-game advertising.

Privacy issues aside, clientside monitoring is the wrong path because your customers have access to the client, leading to the usual arms race. They should concentrate on developing server-side mechanisms like datamining and behavior modeling. They're foolproof and ethically sound.

But I don't want to pay $30 a month for servers because the first $15/month pays for the overhead of analyzing all incoming traffic. :/

[shang]

I still haven't seen a single convincing argument why Warden should be considered a breach of privacy. All it does is send hashes. Being upset that the hash function could, theoretically, be replaced with a more nefarious algorithm is pretty loony.

[Adam B]

Is it 2006 again already?

[Alex Handy]

Quote:

Originally Posted by stusser

They should concentrate on developing server-side mechanisms like datamining and behavior modeling. They're foolproof and ethically sound.

Certainly more ethical, but not more foolproof. Data Mining and monitoring, yes. Behavior modeling? Nope.

[Lum]

The arguments against Warden:

- Warden scans the user's process list and sends it back to the server without the user's explicit consent (Blizzard's response is that agreeing to the WoW EULA and playing WoW is implicit consent).
- Warden logs when the user is found to be using third party programs Blizzard disallows, and then bans the user from WoW. This is seen as a violation of the user's right to run whatever they want.
- World of Warcraft has many functions hosted client-side (which is how teleport hacks and the like happen) to improve game performance. This is seen as bad coding.
- Thanks to the arms race of hackers vs game developers and all of the above, Warden essentially behaves as a virus itself (using polymorphic code cloaking) to block users from stopping it from functioning. This is seen as hijacking the user's computer.

I disagree with all of the above complaints for obvious reasons. If you don't like Warden and find it an invasion of privacy, don't pay for WoW. It's really that simple. Playing WoW isn't a constitutional right, it's a contract between you and Blizzard. Game developers have not only the right, but the expected duty, to enforce a clean and open playing field.

[Lum]

Quote:

Originally Posted by Alex Handy

Certainly more ethical, but not more foolproof. Data Mining and monitoring, yes. Behavior modeling? Nope.

Well-written bots can easily model the behavior of MMO players, to the point where they fool live GMs.

[HRose]

Quote:

Originally Posted by Lum

I disagree with all of the above complaints for obvious reasons. If you don't like Warden and find it an invasion of privacy, don't pay for WoW. It's really that simple. Playing WoW isn't a constitutional right, it's a contract between you and Blizzard. Game developers have not only the right, but the expected duty, to enforce a clean and open playing field.

Nope, those aren't the arguments.

The argument is that whether Blizzard may use personal informations simply to have a hack-clean game or for different, more debatable purposes.

The defense of privacy isn't to prevent good things, it's to prevent the next step. And if you don't put *a* line somewhere, then you are guaranteed that you'll be fucked at some point in a way you didn't expect.

And if this passes as an acceptable policy, then it will become standard between ALL games. And there's some freedom lost there even if it's "legal".

[DeepT]

I have to agree with Lum on this. If you want to play WoW, you must play by their rules. No one is forcing you to do anything, and you really do not want Blizzard to know what your running, then just don't play WoW.

I can't think of legitimate reason anyone could object to Warden sending your process and service table to Blizzard. It is not like it contains your credit card information or anything.

If you do not trust a company enough to not steal important personal information, then you shouldn't run their software on a network enabled computer. It doesn't have to be a 'root kit', it can any kind of program, such a WinZip, NotePad, or that fish-tank screen saver. Any application can rifle through your system and send data back to some server. Each time you run ANYTHING, you have to trust it.

[Fugitive]

Quote:

Originally Posted by HRose

The argument is that whether Blizzard may use personal informations simply to have a hack-clean game or for different, more debatable purposes.

Blizzard isn't getting personal information though, the argument is about the potential to collect that information surreptitiously in the first place, not what they can do with information they're accused of potentially collecting.

[DeepT]

Quote:

Originally Posted by HRose

And if this passes as an acceptable policy, then it will become standard between ALL games. And there's some freedom lost there even if it's "legal".

Freedom lost? It depends on what you define as 'free'. If you define free as Anarchy, then you are correct, otherwise you are wrong. If you lose your freedom to cheat, I gain the freedom to play a game without cheating.

Each time someone uses a cheat in a BF2 game, everyone else loses the freedom of fair play. I think the net balance of freedom can only increase by removing the ability to cheat.

[HRose]

Quote:

Originally Posted by DeepT

Freedom lost? It depends on what you define as 'free'. If you define free as Anarchy, then you are correct, otherwise you are wrong. If you lose your freedom to cheat, I gain the freedom to play a game without cheating.

Each time someone uses a cheat in a BF2 game, everyone else loses the freedom of fair play. I think the net balance of freedom can only increase by removing the ability to cheat.

You should read Marvel's Civil War. I'm on Captain America's side ;)

It's always about losing freedom in the name of security.

[olaf]

Quote:

Originally Posted by stusser

Every version of warden has crossed the line; people are just too addicted to care.

Yeah that is my feeling.

[HRose]

Quote:

Originally Posted by Fugitive

Blizzard isn't getting personal information though, the argument is about the potential to collect that information surreptitiously in the first place, not what they can do with information they're accused of potentially collecting.

Excuse me, when you are worried about the potential to collect informations it's because you are worried about how those informations will be used.

I'll requote the beginning:

Quote:

the randomly generated hash algorithm can be replaced at Blizzard's sole discretion with any other algorithm, including ones that retrieve and use personal, private and/or otherwise confidential information, with only their server to be required to know about the changes

Conflict of interest of not, that's still true.

[stusser]

Quote:

Originally Posted by Lum

If you don't like Warden and find it an invasion of privacy, don't pay for WoW.

Well obviously, but most players don't have the context to make that choice. Blizzard doesn't talk about warden and the vast majority of their users don't know it exists. There should be disclosure so consumers can make that educated decision.

Do I trust Blizzard not to steal my personal information? Sure. They're not going to issue a press release to PRNewswire talking about my latest downloads from Empornium with an addendum of my social security number and mother's maiden. Messing with their users is hardly likely to become corporate policy. But companies are made of their employees, and who can predict what some random nimrod is going to do?

Bots don't act like humans. Even if they mimic simple behaviors like killing monsters like a human, their usage patterns won't be sustainable like a human's. They can play for days on end without talking, taking bathroom breaks, etc. Datamining can catch that stuff. And fooling a GM? You're implying that MMO hack bots can pass a turing test? Please.

[Matt Perkins]

Quote:

Originally Posted by HRose

You should read Marvel's Civil War. I'm on Captain America's side ;)

It's always about losing freedom in the name of security.

That anology for the lose though. In that story, everyone that happened to have powers had to register or be an outlaw.

In this situation, you can either choose to play as Blizzard wishes or choose to not play. Pretty straight forward.

[Linoleum]

I refuse to listen to any negative nellies in this thread who don't run OpenBSD as their main operating system and source audit drivers over breakfast.

[Lum]

Quote:

Originally Posted by HRose

I'll requote the beginning:

Conflict of interest of not, that's still true.

No, it's not, it's FUD (Fear/Uncertainty/Doubt). It's literally saying "Crap, we don't know what they're doing! They could be doing anything! They could be sending pictures of your MOM! They need to be totally transparent so we can hack them...er, so we can monitor what they are doing!"

[DeepT]

Quote:

Originally Posted by HRose

You should read Marvel's Civil War. I'm on Captain America's side ;)

It's always about losing freedom in the name of security.

Apparently you missed my point, or maybe I am trying to nail jello to a wall.

"We" are NOT losing freedom with stuff like this. We are not 'giving up' anything for security.

[Lum]

Quote:

Originally Posted by stusser

Do I trust Blizzard not to steal my personal information? Sure. They're not going to issue a press release to PRNewswire talking about my latest downloads from Empornium with an addendum of my social security number and mother's maiden. Messing with their users is hardly likely to become corporate policy. But companies are made of their employees, and who can predict what some random nimrod is going to do?

Except that the logic being used by Lax in his FUDscript is that "OMG, we can't track Warden any more... they could someday patch in something that reads user files and we'd never know!" Well, of course. They could patch *WOW* and do the same thing. Installing a program means that you give it a level of trust to your file system (which is why there are so many trojans out there that install keyloggers and the like). The logic's ridiculous. Carried to its logical conclusion, no developer could ever publish a program without including its source code. Because, hey, otherwise, you'd never know what they could do in a patch!

Quote:

Originally Posted by stusser

Bots don't act like humans. Even if they mimic simple behaviors like killing monsters like a human, their usage patterns won't be sustainable like a human's. They can play for days on end without talking, taking bathroom breaks, etc. Datamining can catch that stuff. And fooling a GM? You're implying that MMO hack bots can pass a turing test? Please.

Most MMO *players* can't pass a turing test. I've seen bots that simulate things like typing delay and typos when responding to "Are you there?" canned GM requests. Bear in mind most MMO bots are used to farm gold for resale - there's a very real financial pressure to make them as efficient (and undetectable) as possible.

[HRose]

Quote:

Originally Posted by Matt Perkins

That anology for the lose though. In that story, everyone that happened to have powers had to register or be an outlaw.

In this situation, you can either choose to play as Blizzard wishes or choose to not play. Pretty straight forward.

It's on another scale, but the principle is the same.

It's capitalism, so you have the power of choice with your money. But it's also a matter of culture and the way principles pass and get accepted/tolerated. Till they are considered absolutely normal.

If there aren't rules you see a slow erosion of your rights. And freedom, in history, only came when people fought for it. Never on its own.

So today we are debating about a game, but it's a debate that encompassed everything outside it.

Google decide to not pass its data to the government. Even in that case you could just not use Google.

The point is that if there are no rules and you still have a "choice", yes, the risk is pretty low. But down that path you arrive at a point where the excuse (you like it, ok. You don't like it, go away) will be used to justify everything and your power of choice will be just a bland illusion. Because there won't be anything different to choose.