Slashdot Mirror
Blizzard Sued Over Battle.net Authentication
An anonymous reader writes "A man has initiated a class-action suit against Blizzard over a product used to shore up Battle.net security. Benjamin Bell alleges that Blizzard's sale of Authenticators — devices that enable basic two-tier authentication — represents deceptive and unfair additional costs to their basic games. (Blizzard sells the key fob versions for $6.50, and provides a free mobile app as an alternative. Neither are mandatory.) The complaint accuses Blizzard of making $26 million in Authenticator sales. In response, Blizzard made a statement refuting some of the complaint's claims and voicing their intention to 'vigorously defend' themselves."
Not only does the $6.50 help cover postage and pay for the dongle, its completely optional and Blizzard makes the app available to as many platforms as they can. You can even install the authenticator on a Android simulator on a computer.
I'm in shock as to how entitled this person is. I honestly just can't fathom how he can claim that Blizzard "makes money" off these authenticators.
Question #1 will be : "Did blizzard make you buy one in order to play the game, and are there any consequences to not doing so?"... "No, and No"...."Case dismissed"
Like TFS says, the mobile version is free. Just another moron trying to make a quick buck.
My concern with blizzard's authenticator is that they seem to have rolled their own implementation rather than adhering to an open, defined spec (HOTP/TOTP). And like so many of these services, there's no good way to move it to a new device without disabling 2FA temporarily. People do upgrade their phones, after all.
How are sites slashdotted when nobody reads TFAs?
If they win this suit, I'm going after Google to pay my phone bills since they give me the option of using SMS based authentication to protect my Gmail account.
He seems to be an idiot to me. The authenticators were created to protect a community that is targeted regularly from their own stupidity. Basically, it's to protect from phishing and keylogging. Blizzard is just offering them an additional method to secure them, for a negligible cost. As for the issue with the hack on their servers, they made sure to alert their users via their registered accounts. Any legal requirements, anything else in regards to their quality of security... I can't speak for.
It's not mandatory, and it's a game. A service provided to you, and a limited version that's free to use. The security problem is inherent to all MMOs -- and Blizzard is providing a way for people concerned with hacking to protect their investment in the game, at a reasonable rate. These authenticator tokens often cost a lot more than the cost of a meal at mcdonald's in other industries. The guy doesn't have a leg to stand on. He max-leveled in idiot.
#fuckbeta #iamslashdot #dicemustdie
It is made by Vasco and is sold in large quantity orders for around 6.50$, which is the same as what Blizzard charges for it. The idiot in question is basicly claiming Blizzard sold 400,000 Authenticators at a 100% profit margin.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Warcraft should be free, and Blizzard should become a charity.
Its been a while since I logged into battle.net, but I am almost POSITIVE the passwords are case sensitive, as case sensitivity has caused incorrect password entry several times.
They allow passwords to be MUCH more complex than many other websites / services. This case is complete BS.
A friend of mine got hacked three times. Blizzard sent him an authenticator for free. It costs them less to send the free authenticator that keep fixing his account.
This is just someone trying to make money on a frivolous law suit.
https://encrypted.google.com/search?complete=0&hl=en&source=hp&q=battle.net%20password%20case%20sensitive&aq=f&aqi=&aql=&oq=&gs_rfai=
It's pretty well-documented, including blue posts from Blizz staff.
No they aren't I just checked my copy of Diablo 3 (which was a total waste of money) and my password worked regardless of what I capitalized.
Funnily enough, I only found out that passwords were case insensitive in 2010.
No sig. Move along - nothing to see here.
The end of the article indicates he is suing to not require a battle.net account just to play a game, which seems reasonable to me.
You know, there are plenty of WoW server emulators that had to reverse engineer the client authentication.
Both the username and the password are converted to uppercase before being SHA-160 hashed and fed into the SRP6 authentication algorithm.
Instead of taking personal responsibility for the security of their own account, they instead sue Blizzard. Blizzard CANNOT control the end user's computer (not as much as they wish they could, at least). Therefore, the security of your login credentials are the sole responsibility of the account holder. Blizzard can't keep your computer from getting infected with malware, falling for a phishing scam, or sharing your credentials with your little brother.
Not true, you can run it in an Android development emulator.
2) Include a "Free Authenticator!" in every box, or mail one to people who opt to download the client.
3) Profit.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Suing over $6.50.... even with a complete victory he would probably end up with something like $.50 after the lawyers get their part. This must be somebody with too much time to waste.
How big is that to download (especially on a capped plan), and how much RAM does it use (in addition to the RAM your game uses)?
Also one called WinAuth, no emulator needed. http://code.google.com/p/winauth/
... and yet if i change the case on my password, either in game or on the website, I get an authentication failure. Hell, that was true back when Diablo 2 was around
Fact seems to disagree with you.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Actually no, i'm wrong. What the hell?
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
The stupid, it burns
http://xkcd.com/936/
Its right to require one on real money auction. Since its real money involved gotta take extra security on that. But with that said this guy apperently is to stupid to realize the 2 other FREE options. The Phone app and program called WinAuth that will this stuff for FREE.
"When I buy a car the dealer doesn't tell me that I have to buy a car alarm with it at extra cost."
You've not bought a car from a dealer lot recently, have you?
Expect to find LoJack (even in markets where the local police have bought zero units), alarms, windshield VIN etching, clear paint protectors, sealants, rust proofing, teflon upholstery protection and a wide variety of exciting floor mats pre installed and added on to the price of every actually available car, taking them way above and beyond the "Starting From..." low, low advertized MSRP on the banners around the lot. Listen to the radio commercials where whichever "mile of cars" with "over X thousand vehicles to choose from!" has "three at this price."
The difference between Blizzard and a car lot is, if Blizzard were a car lot, they'd be telling you, "We're sorry, the only copies we've got on hand today already have their accounts hooked to a validator and we can't remove it. We could order you a copy without a validator in 8-12 weeks or you can pay the premium to take a copy home today."
Clearly they are the stupidest person on earth for not knowing off hand the password mechanics of a shit mmo.
No, gross income is not revenue. It is revenue - cost of goods sold
" (in addition to the RAM your game uses)?"
Who cares? it's not like you have to leave the authenticator running while you are playing
Wrong. It is not required to use the RMAH. It's required to link a PayPal account to the RMAH or keep a RMAH balance. Buying things is easily possible without one.
There are also free alternatives to the actual keyfob.
But you still have to have both the game and the Android simulator open while you're running the authenticator to get the code to type into the game. The only way I can see otherwise is if one would start the Android simulator, run the authenticator, close the Android simulator, and then start the game. This is possible only if the authenticator needs no information from the game and the game tolerates a delay of up to a few minutes between running the authenticator and running the game. Is this the case? I can't try it myself because the last Blizzard product I bought was the first StarCraft.
I support it simply for this:
He also seeks to stop Blizzard from requiring players to sign up for a Battle.net account.
And what's more, this article talks about how they don't know the password mechanics of a good MMO either!
Good. Case sensitivity in passwords is stupid.
There, I said it.
Also: if you're going to lock the user out after three bad attempts anyway (and therefore already have a mechanism in place to deal with external dictionary attacks), there's no good reason for that "Oh, you entered it wrong? Here, let me wait for 30 seconds before I tell you" delay that just fucking pisses people off rather than helps. I just thought I'd mention it, it's another pet peeve.
Actually, there's no need to lock after three bad attempts, just make the delay ONE TENTH OF A SECOND. That'll be long enough to foil virtually every dictionary attacker while short enough to not be irritating to end users.
Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it and... I've gone waaaaaaaaaaay off-topic haven't I? I'll shut up and let the rest of the post be insightful.
You are not alone. This is not normal. None of this is normal.
Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it and... I've gone waaaaaaaaaaay off-topic haven't I? I'll shut up and let the rest of the post be insightful.
I use caps lock every day, you insensitive clod! It's cruise control for cool.
You do not need the keyfob. You need an AUTHENTICATOR. And that can be had for free (on your phone) or even as a free application on your PC : http://code.google.com/p/winbma/
So the extra cost to get the needed authenticator is exactly $0.
Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it
My dad uses it. It's like he's still yelling at me every time he sends me an e-mail. /cry
My mind is boggling at this.
Is this new? Or has it always been this way? I swear that as of a few years ago caps-lock could cause your auth to fail.
You are an idiot. Seriously.
There are legitimate business reasons for all caps. Only one I know of is tax returns, but wouldn't be surprised for there to be others.
I can't believe people keep passing that around. It's terrible advice, unless of course you happen to live alone and never have anybody in the same room as you when you type in your passwords. By using real words, you greatly increase the ability of an attacker to fill in the gaps if they miss a few characters or pick it up over your shoulder.
It also completely misses the fact that you probably have more than a couple of passwords, at which point, you're going to want to use a password manager anyways, at which point, you might as well go for the one with the most entropy and the least predictability.
Plus it's a bit of a strawman there as you were never supposed to take a real word and substitute 0s and such in, that's never been an accepted practice for as long as I can remember.
People don't get their accounts stolen through brute force password hacks, so who cares about case sensitivity.
It doesn't matter what Blizzard is paying for them, Blizzard still has to pay for shipping and the bit you're taking issue with isn't really the point. The point is that it's impossible for Blizzard to make a $26m profit on it, unless they get free shipping and sell 4m units.
Demanding information which is clearly irrelevant just makes you look like a butthurt fanbois. As long as the figure is non-zero, which it is, and the shipping is non-zero, the post you're bitching about is correct.
It's not stupid at all. People are fucking stupid. If you can't type a password correctly, don't choose that password.
Smart peopel keep the stupid well hiden.
Fakedit: DUOH
Plus it's a bit of a strawman there as you were never supposed to take a real word and substitute 0s and such in, that's never been an accepted practice for as long as I can remember.
back in the real world: upon password creation, it is always accepted by the system, and therefore generally what people use so that they can remember it.
actually most people don't bother with substitution they just capitalise the first letter & add the required characters at the end - which is usually just a number. whenever they are required to change password by the system they increase the number by one.
although - if 'correcthorsebatterystaple' were a standard password creation method, a brute force using a decent dictionary would be quite plausible.
i spent five minutes thinking and all i got was this crappy sig
Actually it's likely the exact opposite. Not only do people leave the game after being hacked (or come back from hiatus, see a hacked account and leave for good), but the support costs associated with stolen and hacked accounts constituted a huge amount of support calls and contacts before authenticators. Probably after as well, but as there is not a single account compromise for account with authenticator attached (according to blizzard) their costs must have come crashing down for accounts that have authenticator attached.
Full disclosure: I have two separate accounts on battle.net, one since early 2007 (former WoW currently battle.net account) and one since SC2 release. Neither has authenticator attached, neither has ever been hacked. I've had one guildie actually hacked in WoW during a black temple raid back in TBC for their own stupidity. Literally "sorry guys, I just got hacked right after talking to GM [provides details on being socially engineered in a really silly way]".
So, the company did the right thing in terms of offering two factor authentication (I wish my bank would do that). They made it optional and made free apps available so that people aren't forced to use it. All of that is good.
This lawsuit is frivolous, and the guy should not only lose, but have to pay court and defense costs.
Also, what's the deal with caps lock? Why the hell is that key still on the keyboard? NOBODY uses it and... I've gone waaaaaaaaaaay off-topic haven't I? I'll shut up and let the rest of the post be insightful.
The purpose of the Caps-Lock key is to remap it to Ctrl.
if 'correcthorsebatterystaple' were a standard password creation method, a brute force using a decent dictionary would be quite plausible.
Would it be though? According to a study by Harvard and Google, there are around 1 million words in the english language. 10^24 possible combinations for a four-word password. Not sure that a brute force dictionary attack would be plausible on that search space.
I had a sig once. It was lost in the great storm of '09.
The value of his comment is more than yours. You seem to have no concept of the idea of "wholesale" and seem to have some idea that Blizzard can magically get prices much lower.
1) Vasco advertises $6.5/unit wholesale for large batches
2) Blizzard buys large batches, then pays to customize them and then pays again to ship them to Blizzard warehouses
3) Blizzard incurs administrative overhead for processing and storage
4) Blizzard sells end-product for $6.5 and covers the cost of shipping 2 day priority mail(I've purchased 5 auths over the many years and all have come within 2 days from across the nation via USPS).
Really, how much money to you think Blizzard is making?
To add to it, when I purchased my original auths, it was buy one get one free, so I was able to get 2 for $6.5 and they were shipped from Cali and made it to the Midwest with in 2 days.
They don't even have case sensitivity on their passwords. Compromised accounts drive additional sales, including the fobs.
Wow (no pun intended). You are absolutely correct. Part of my Battle.Net password was upper-case, I just tried it all upper, all lower, and reversed my core word/suffix case scheme and all signed in. I was fairly sure that in the past it was case-sensitive, so I was either mistaken or something changed in the past.
When you sympathize with stupidity, you start thinking like an idiot.
Almost no one is going to get their battle.net account compromised due to lack of case sensitivity in passwords. It's because they do things like make their password "password1", or (primarily) because their forum account on a completely different gaming related website got compromised and they use the same email and password for WoW that they do for that forum, or their email account got compromised, or they fell for a phishing scam. If someone is lifting your password from another site or from a phishing scam, it literally does not matter what your password is because the attacker is going to have it, mixed case and all.
I would wager almost no one loses their account to brute force attacks. It's almost entirely social engineering or compromised external sites where they use the same passwords or trojans/keyloggers. Guild forums especially often run on very old and/or insecure forum software that's often compromised for years with no one realizing it.
... and claiming you know, and admitting when you discover when you were wrong, is another entirely.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
The biggest issue is having the same password for both Forum and Game access.
Many years ago Blizzard should have made it that you have a "Forum Password" field in your account, and that is used to log into the forums. The number of people I see who use really secure passwords, then log into the Blizzard Forums from work using IE 6 is crazy. They are giving their passwords away.
Even when I have something to say, which isn't often, I rarely do because I don't want to log into the forums with the same password as my game.
You know exactly what you're talking about except for the "I know for certain it was a blizzard associate that sold my account info to get them in both times" part.
Well I just found out now, very surprising. And I thought I was uncrackable with PaSsWoRd too :(
You just troll slashdot for free.
Trolling is saying things you don't believe. I might be some kind of idiot, though. I should be checked. I will tell them how much time I spend here, and they will probably confirm such a suspicion.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The Blizzard forums use the exact same authentication method as the game. I guess you can argue that people don't realize that logging into the forums on a public computer (like at a library or school computer lab) is dangerous, but I think Blizzard's time would be better spent educating users of that danger than making the user's life more difficult by having to manage two separate logins for the forums and for their account access, and setting up all the required software and hardware on their end to handle that change.
Technically English has a lot of words but the vocabulary of the average person is closer to 50,000, and the average working vocabulary is way, way less (5,000 to 10,000 and certainly not evenly distributed). That is, there are a lot of words we recognise but would never think to use. From memory I believe that Shakespeare's works use 60,000 and the King James Bible 11,000. Most passphrases would be chosen from this smaller space.
Crunching the numbers, a 4-word passphrase (lowercase) would have 6.25e14 to 1e16 combinations. An 8-character password (uppercase, lowercase, numbers) would have 2.18e14. So they're in the same realm, at least with this simplistic analysis.