Blizzard, Bnetd Respond on Bnetd Shutdown

EvilDonut writes: "Following the roar of protests following the shut down of the BnetD-project, Blizzard has posted a Battle.net emulation FAQ, citing their reasons to to search out and close any project that allows people to play Blizzard games online without using Battle.net. Their main arguments are software piracy and the ability to control and expire the WarCraft III beta." There's also a brief note from the Bnetd people, included below.

From: "Tim Jung"
Subject: bnetd.org shutdown

If you would like more information on this please feel free to contact me. I am one of the developers and the hosting ISP for www.bnetd.org. I have talked at lenght with both the Blizzard/Vivendi lawyers and with EFF lawyers about our options both as an ISP and as a developer.

As an ISP I did not force the group to do anything, but rather presented them with all the legal information I have recieved and asked them what they wanted to do. As you can imagine neither my company nor any of the developers have the money to fight the Blizzard/Vivendi lawyers at this time. So until we are able to get some legal help to fight this we felt we had no choice but to close down the site for now until the time at which we could fight this legal battle.

If you have any questions or suggestions let me know.

Tim Jung
System Admin
Internet Gateway Inc.

files are still mirrored......for now

[kajoob]

if you want to grab the files while you can, grab it from sourceforge here or here or here while they last. That should cover all the flavors.

New mirror with current cvs

I have placed a current CVS pull as well as the latest release version at This Site.

Re:Translation

[Rogerborg]

• • Why doesn't Blizzard provide facilities that enable these emulators to authenticate CD keys through Battle.net?

    In order for us to keep our proprietary CD-key algorithms secure, we cannot allow outside servers to query for the validity of CD keys

  See above. Blizzard puts bread on the table by making money through software sales. Why should they be required to open up their scheme to allow others to be able to pirate their software more easily?

Please don't comment on issues that you don't understand. This is a bare faced lie, and has nothing to do with encryption or security. Here's why:

There is nothing to stop bnetd from doing this already.

The bnetd server could simply open a socket to a Blizzard Battlenet server, and pass on all packets from the clients until it reaches the key challenge/response. It could then kick clients out if they fail the challenge (although the client should terminate itself if it receives a "go away" from the Battlenet server via bnetd).

Why don't they do this? Because one of the points of bnetd is to provide an independent network to Battlenet, which is buggy and prone to dreadful lag and downtime. Being reliant on Battlenet is counterproductive to the basic aims of bnetd.

However, if Blizzard were to set up separate authentication servers, that do nothing but authenticate encrypted CD keys without having to go through the whole login process, everybody wins. They can keep them up more easily, bnetd can use them with more confidence, and pirates can be kept offline. If the Battlenet authentication servers go down, bnetd could let in anyone, so pirates could only play when Battlenet goes down, and, hey, Blizzard aim for 100% uptime, right? By putting a delay on servicing requests from any given IP, Blizzard could protect themselves against crackers just throwing random packets at them, but they don't really have to, because unless you know the client side encryption scheme, that still doesn't help you get valid keys that you can use.

There is exactly zero implication for security. The bnetd server would send on exactly the same encrypted client packet that it already receives. All packet passing is verbatim, there is no need for Blizzard to reveal any details of their encryption scheme. Bnetd doesn't even need to know what a "yes/no" response from the Blizzard servers looks like, although it would be trivial to sniff, and better if they did know, as they could then forcibly terminate the client.

Reminder: bnetd could do this already. Your ISP's routers are doing this already.

There is one slight caveat. Blizzard might have done something "clever" like pack the result of a getpeername() into the CD key packet as Netrek does with it's RSA packets to stop people inserting hacked "borg" clients between an unhacked client and a server. But there would simply be no reason for Blizzard to do this, and it would actually be counterproductive, as it would place a known and easily manpulated piece of data into the encrypted CD key packet, give a hint as to the encryption scheme used.

To recap: this particular statement from Blizzard is a big fat lie. I'm a professional network programmer, and I've hacked enough lousy and not so lousy encryption schemes to know. If you disagree, please spell out where the security hole is, because I'm simply not seeing one.