Slashdot Mirror
World of Warcraft's Brand New Rootkit
Captain Kirk writes "We all know that World of Warcraft has checked for hacks to ensure a safe game environment for all players. The latest version of these checks goes beyond anything seen so far in that what is being checked is now completely encrypted. Obviously this hits bot writers as can be seen from these complaints, But it also strikes at the privacy of all users. Now Blizzard has a tool that is encrypted and can run any type of scan, transfer any file or edit any document on your computer. That can't be right."
1 computer for gaming
1 computer for everything else
Sorry if you can't afford a second, but that's how I do it.
A feeling of having made the same mistake before: Deja Foobar
Then don't play. It really IS that simple. If you're having too big of a problem with that, put the mouse down and go join a support group.
If i had a WoW account i would be cancelling it this second, no videogame has the right to violate the privacy of my computer
You've already given up your life when you start playing WoW. What do you have to keep private?
If you don't like it then don't accept the TOS and don't play. It is really simple. I've played WoW since it came out at a very high level and I welcome Blizzard trying to stop the root kits/gold farmers/etc.
Summary of TFA: WoW Warden now selects one of many hash algorithms and uses it in server communication. Blog author gets his panties in a bunch because Blizzard could replace one of these hash algorithms with something that collects PRIVATE PERSONAL DATA, and NO ONE WOULD EVER KNOW. A misleading Slashdot headline and poorly-written blurb is generated, and the rest is academic.
Cretin - a powerful and flexible CD reencoder
So, now a "rootkit" is any program that does something we're not sure of?
I thought a rootkit was a program designed to take control of a system remotely or offer access to that system? This is just an obfuscated program (encrypted is a bit strong for something that is "decrypted" on your own system where you can watch its behavior).
Seriously, if this is the worst that Blizzard does, I'm a happy camper. They really do have serious problems with their users being exploited, and detecting these problems early is all good. In my case, they'll see everything that's in my virtual Windows environment under Wine.
Now, if someone proves that they're reading personal files out side of the Windows system directory or the WoW installation, then we can talk. Until then, this is a non-issue.
Does the thing hide itself? Can't you just uninstall WoW? (Maybe you can't but maybe you need mental help.) Ya, you don't know what it is doing but you don't know what most programs are going unless you reverse engineer them. I think this is just the cheaters getting their panties in a twist. Especially because it means the end to a real source of income for those who harvest gold and sell it in the real world.
Actually, knowing Blizzard's history (and more specifically their history with WoW) it most likely is in their EULA and/or TOS somewhere. They wouldn't knowingly do something that isn't. All it would take is to update the EULA and/or TOS when the patch is applied, seeing as you have to accept the EULA and TOS everytime you install a patch. Not their fault if you didn't read it.
They are an internationally-known company bringing in millions of dollars a month from the most popular online game in the world. I'm sure they pay attention to what is and isn't in their agreements.
Living With a Nerd
I play World of Warcraft. As a subscriber that plays this game I am ok with Warden as it stands. I want to play a game where hackers and cheaters are caught and banned. I know a lot of people despise the speed hacks and of course the gold farmers, so I don't see what the fuss is all about.
The likely hood of Blizzard hacking or stealing personal data is very small. They know that they could lose their cash cow by doing anything malicious with this information/software.
For those that fear credit card and personal information being lifted, I'm a little baffled. When you sign up for an account you enter most of the same personal info that is going to be on your PC anyway, and unless you are using game cards they already have at least one of your credit cards on file. All information that subscribers gave up willingly.
That aside, I did read the article and find the technology fascinating.
It's not a rootkit, so it doesn't work anywhere.
It's just an analyzer that's part of WoW. It checks for malicious software in the environments where WoW runs and reports back to Blizzard when you log in to their service. Malicious in this context being defined as malicious vs. the user (keyloggers are a major concern in the wow playerbase) and malicious vs. Blizzard (e.g. bots and such controlling the UI while the game is running).
I trust Blizzard with my gaming computer. I would rather lose a bit of privacy and not have annoying crackers trying to game the game.
Yeah...it's this type of reasoning that lets the US government get away with wire-tapping w/out a warrant and other similar privacy violating activities.
If you start your architectural design from the assumption that the client is a malicious bot, then you can design out vulnerability. Blizzard chose not to do that. They thought that they could enforce trust on the client side, and let clients make decisions about (oh, just for example) player position. Well, that makes them idiots. Idiot savants, maybe, but idiots none-the-less.
The client cannot be trusted. Clients request, servers decide and dictate. Let the client anticipate and drift its local world state all you like, but the server must never, ever, accept a state change from the client, only requests. That's the way it has to be, unless you - demonstrably - want to play catchup for ever and a day. And if you get caught in that hole, then you need a spade the size of WOW's playerbase and Blizzard's resources in order to keep digging it deeper.
If you were blocking sigs, you wouldn't have to read this.
Now Blizzard has a tool that is encrypted and can run any type of scan, transfer any file or edit any document on your computer.
You do realize that *any* software you install on your computer can do this? Unless you have read the full source code and compiled it yourself (Ignoring the possibility of a trojan'd compiler) there is a possibility that a program could do these things. So what's new?
Steam games have "Valve Anti-Cheat" (VAC), which is similar in principle to the Blizzard Warden. Other games use Punkbuster, which uses the same strategy to detect cheats. All of these programs scan your machine's memory and look for the signatures of known cheats. The mechanism used to carry out the scanning and report the results is deliberately obfuscated to make it difficult to reverse engineer the process and send fake results. All three of these programs are spyware. But you agree to the use of each within the EULA of whatever game you are playing.
Warden has always had the ability to be updated with arbitrary code as you play. The observations of this article are nothing new: Blizzard has always been able to access files on your computer, just by sending the appropriate program to Warden. It seems that they have recently been sending more complex programs, generated for each client, so the current generation of programs that spy on Warden no longer work. The arms race continues.
>north
You're an immobile computer, remember?
They clearly state in their TOS that they do this (Section 14)
http://www.worldofwarcraft.com/legal/termsofuse.html
Don't like it? Don't play the game. Very simple.
And in fact, when you first sign up for an account, Blizzard gives you 30 days to return the game for a *full refund* if you don't agree to the TOS and don't wish to play. That seems pretty fair IMHO, and far more than most game companies will do.
- Roach
> why not organize and complain to Blizzard?
Players: "Blizzard, your malware sucks, and you suck for using it!"
Blizzard: "What? Sorry, these piles of money you keep forking over to us every month kind of muffle the sound in here."
Done with slashdot, done with nerds, getting a life.
I simply do not understand some of the people's comments on this matter. "I feel more secure with this" isn't a very good argument. Games have bugs: if a game can access and modify your entire system, a bug exposing this would be very dangerous.
Game developers have no right whatsoever to delve into your personal assets no matter what the intent might be. There are various examples known world wide such as in Argentina (1980's) when all of the communications were monitored by the government to "capture the terrorists." Hackers and cheaters are not even remotely in that realm, so my computer which holds very confidential information should not be monitored. (Though it might make an interesting paper comparing hackers to terrorists)
When I drive on the South Florida roads I am constantly monitored by cameras at each stoplight, I don't particularly would like to be monitored in my own home where I still have the illusion of privacy. However naive that might sound.
You keep all that information on your hard drive unencrypted?
It's hard not to be quite so cynical these days, but there is little call for it here. Sure companies like money, but the smart ones don't go about strangling the geese that lay their golden eggs. WOW won't last forever; it will soon enough look butt-ugly and lacking in interactivity when the next generation of MMOs arrive, as is the way of all software games development. When that happens, keeping its current customer base happy and making them feel they can trust Blizzard is huge in getting the next such offering onto the market. Burning those customers and ignoring those concerns would be monumentally stupid, given that fact.
As I understand it, what Blizzard is doing now (albeit misguided) is in response to people complaining about cheats and bots that ruin the game experience for them. That is, plainly, evidence that Blizzard doesn't just care about the bottom line to the exclusion of the preferences and complaints of the customers. I imagine that if as many people complained about this rootkit-esque fix as complain about the problem it was intended to solve, Blizzard would respond accordingly.
All the techniques ever used to make men moral have been themselves thoroughly immoral... (Nietzsche)
The war will continue until the cheaters are forced to use the same interface(keyboard/mouse/monitor) the humans use. I.e. within 5-10 years you'll be able to buy a little box for $50 that will plug into your mouse and keyboard ports(with passthru of course) and point a camera at your monitor that will play the game for you. There will probably even be an open source powered version of this box :) At that point it will become impossible to differentiate cheating from playing and the cheaters will have won.
This is the only way it can go down in the end. All of the current and future "anti-cheating" technology basically boils down to calling someone on the telephone and asking "are you cheating?" while expecting a truthful answer.
Instead of wasting time with all this crap the game makers should be redesigning the games such that reflex augmentation(aimbots) and robotic automation(24/7 farming) do not provide the advantages that they currently provide.
And all Sony did was install a program on their music CDs that ensured someone had a legit copy of the CD (copyright infringement is a HUGE problem with IP).
(waves magic wand) Reducto ad absurdum!
The program they tell me they're running to detect trojans and cheat-ware encrypts what it is doing to protect itself from the trojan and cheat-ware authors. THE SKY IS FALLING!
If you don't trust Blizzard, why did you install the game? Why did you give them your credit card number?
But I love this stuff. It means my non-technical guildies are less likely to be exploited, it means the gold farmers have it that much harder, and drives away the vocal, whiny morons, who are likely the same vocal, whiny morons in the game.
What you described is a backdoor.
Rootkit is an OS-level subversion program.
http://en.wikipedia.org/wiki/Rootkit
3.243F6A8885A308D313
If they have just changed Warden and I'm no longer happy to agree to their terms of service, can i return wow and BC for a full refund? Don't I agree to let them run what software is in the box when i agree to the ToS? If they change the software can't i change my mind?
Works fine under Wine, which is how I play. This just goes to show you it really isn't a rootkit despite what the sensational headlines are claiming. Yes it peaks at the registry, and the process list and the window list. It's looking for key loggers and bot software. These things hide themselves well so there is no way to find them without doing some semi-invasive digging around.
I suspect a lot of the fuss over this is coming indirectly from the writers of bot software and from the gold farmers...and they can go to hell for all I care. First they started spamming people in-game with constant ads for gold and power leveling, and then when Blizz implemented anti-spam filtering they started creating dozens of level 1 trial characters and randomly inviting people to party, hoping you'll accept so that they can talk to you in party chat and bypass the spam filters. It's annoying as hell.
I don't play WOW, I don't get why people are obsessed with it, and that has absolutely nothing to do with the point, which is this:
1. Many people like playing WOW. It brings them happiness to play it.
2. The provider of WOW has instituted a policy that is objectionable.
There is no reason on God's Green Earth why 1 and 2 above need inevitably lead to:
3. Therefore people should give up WOW that brings them happiness because there is a problem with how it is provided.
Because, frankly, that's just stupid. Less extreme measures should be tried first, like salvaging that which is valuable by attempting to change that which is objectionable. Cutting your losses and running is, if ever, a last resort when attempts to fix the problem have utterly failed. Now, this is "just a game", and so it is reasonable for people to only put as much effort into salvaging it as pleasure they get out of it; it's not like fighting for your rights or anything. I just have a really hard time comprehending the general attitude around here being that as soon as someone (esp. a corporate entity) does something to find questionable that the only response is immediate and extreme measures(tm). Human beings who do care, if even fleetingly, about things other than money run these companies; they want people to enjoy their products, and would be fools not to listen to valid concerns even if only for self-interested reasons.
All the techniques ever used to make men moral have been themselves thoroughly immoral... (Nietzsche)
But, apparently, installing four CDs full of unsigned, unaudited third party code which can do anything on your computer is okay. And having third party software which is in constant communication with its authors is okay. And having it download and execute new code every Tuesday, with or without your approval, is okay.
It's only _now_ that it's becoming a problem?
If you don't trust Blizzard, don't buy their software and don't install it on your PC. How hard is that?
Ah, this is the often ignored genius of systems like the APT installation software in Debian flavored Linux distros. When you download software from a trusted repository, you are downloading binaries that have been compiled and digitally signed using the private key of people that you (implicitly) trust. This is a good thing, because the sources you are downloading have been checked by an expert third party that you believe capable of doing the job. This mitigates the need for trusting the software provider and/or checking the source code yourself.
Not that this helps with WoW, but it addresses a common cynical criticism of free/open source software, where people claim it's useless since the average joe can't read source. Yes, the average joe can't read source, but he can decide to have a trusted third party for do so.
So of course he's trying to make a fuss about it--It will hurt his ability to help people cheat. Slashdot has been trolled, sigh. Warden is good for us that actually just want to play the game and not have people cheating. If you are that concerned about it, please feel free not to play. No one is forcing you. It isn't being installed behind your back or hidden in any way. QQ moar, as we say in WoW. :)
replacing it with NEW Folger's Crystals! (lets see if they notice the difference)
This was from my post:
Now, this is "just a game", and so it is reasonable for people to only put as much effort into salvaging it as pleasure they get out of it; it's not like fighting for your rights or anything. I just have a really hard time comprehending the general attitude around here...
And this was from yours:
This is a video game. Finding another MMO to take up your excess time is a matter of $50 at worst, since just about all of them worth playing give free trial periods. Your friends that you met in WoW will still be your friends when you stop playing if they are real friends and not merely aquaintances. There is such a thing as instance messenger and voice chat. Gain some perspective.
I've got perspective (tm). It is only a game, and as such, like I said, people who have a problem with how it is provided should raise a stink only so far as the enjoyment they get from the game is worth it to them. Since, after all, it is their money, and not yours or mine. Me, I prefer to read books, watch movies, chat (in meatspace) with friends, and post to /. for my entertainment. That's what brings me enjoyment. These folks, who like WOW, like other things than I do and spend money in ways consummate with that enjoyment. If one were to look at the publishing industry with a magnifying glass, one would see all sorts of hideous warts; the way they treat most authors is abominable, their editorial policies are groupthink L.C.D. crap, etc. etc.. And yet, I think it would be plainly idiotic to suggest to a person that they should just stop reading books because there are problems with the way books are provided as a product. There are other, better ways. They are harder, less self-satisfyingly smug, and not always successful. And yet, they are the ways that actually make things better, as opposed to the prevailing message which seems only to suggest that one try to insulate oneself from the world as it goes to shit around you.
Look, the way in which people think and how they act when it comes to trivial matters reflects very well how they tend to react to important ones. People whose first reaction is cut and run from every negative thing tend to do so not just in MMO-land but also in politics. People complain a great deal about political apathy, but apathy comes from the mindset that the other methods I have been speaking about (e.g. organize, petition, complain) are ineffective and are thus never tried. Of course they fail; nobody does them. In many cases, they've forgotten how. The mindset here reflects the mindset in the wider landscape, and so if you think I fail to have perspective because it's "just a game", that may be because this attitude is corrosive wherever it appears and I find that way of thinking to be destructive in areas of life where it matters a damn well lot.
All the techniques ever used to make men moral have been themselves thoroughly immoral... (Nietzsche)
I do not see any indication anywhere that this:
1. Hides itself from the user.
2. Remains on the system even after World of Warcraft is uninstalled.
So while privacy concerns may be valid, I don't see how this is a "rootkit."
"You spoony bard!" -Tellah
As a very casual WoW player (I only have 1 level 70 main toon and I only just started raiding Karazhan), I'm glad that Blizzard is doing what they can to combat botting. On another toon of mine I just got into a guild where one of the guys was talking about how his friend had botted 75,000 honor during AV weekend. That pretty much pissed me off. I don't care too much because I'm not playing the game in any sort of competitive manner, but it kind of irks me.
I'd really like to see something like Warden being used to combat the problem of aimbots and wallhacks in FPS games. I stopped playing FPS games all together because of that issue.
Quest: Lunch.
Collect 3 hams, return to butcher.
Collect 5 turkey, bring to Nargold Queefbeater in Stormblaughw.
Purchase 1 loaf Sourdough +1
Reward: Delicious, Choose one:
1 - Club Sandwich - +5 vit for 3 hours
-or-
1 - Broodwich - +50 mana, -20% HP for 3 hours
Accept Quest?
[Yes] [No]
Wow, you might need a couple extra layers of tin foil. And try laying off the lead paint. :)