BBC Tells World About The Warden

Anonymous Cowpat writes "The BBC is running a story about the Blizzard title World of Warcraft. Specifically an article about, 'The Warden', Blizzard's highly-invasive anti-cheating software, which some, including The EFF have labelled as spyware. Most of the people around here have probably heard of it by now, but it's interesting to see the story in the mainstream press and (at time of writing) on the front page of the BBC's technology news section, no less." From the article: "The watchdog program, called The Warden by Blizzard, has been known about among players for some time. It makes sure that players are not using cheat software which can, for example, automatically play the game and build up a character's qualities. However, knowledge of it crossed to the mainstream thanks to software engineer Greg Hoglund who disassembled the code of The Warden and watched it in action to get a better idea of what it did."

Not Again

[stanmann]

This is the same sort of nonsense that almost sunk Everquest, except the Everquest API only scanned the task manager for names. This does that and also scans for running process "signatures". Yet another reason not to play WoW. Goes right along with needing a Credit card for a "free trial".

Re:Not Again

[Southpaw018]

Something tells me that disdain for providing your credit card info earlier than you'd like isn't what's preventing you from playing WoW, and neither is The Warden.

Re:I've been following this...

[MindStalker]

As other poster said, if you don't like it don't play the game. As well does it compare hashes client side? As long as its sending no information to blizzards server than "He's cheating!!" I really don't see why anyone cares what it sniffs.

As a player ..

[Frag-A-Muffin]

of more than one multiplayer online game, I have to say, cheaters playing the same game as you suck. Have you ever played CS with cheaters? Really doesn't make it fun at all. Although I'm not 100% thrilled at HOW they're preventing cheaters, so far, they have proven to be not-that-evil(TM). For now, maybe because I like WoW so much, I will give them the benefit of the doubt.

Why I don't support the EFF

[antifoidulus]

I know they are a god like organization here on /., but them calling this anti-cheating software "spyware" is just plain stupid. You don't like the software? It ain't all that hard to cancel you subscription and uninstall the software. There, you aren't being spied on. You can't tell Blizzard what to do with their servers just because you don't like it. Either use the free market and don't use the software or shut up.

Re:ummm..ok

[east coast]

So, you would say it is ok for the Police to come search you house to make sure you have no drugs, stolen goods, kidnapped 3yr olds

The difference is that you have the right to private property, WoW has the right to deny you access to THEIR private property based on their own criteria. If this you feel this criteria is too invasive then, by all means, do not use their software/services.

This is like drug testing, you have the right to choose not to work for an employeer that does drug testing, you do not have the right to change their policy on drug testing.

Re:ummm..ok

[theRiallatar]

Different entirely. You're agreeing to play the game, and even paying explicitly. Read the EULA/ToU and you'll see the Warden outlined plain as day. The Warden doesn't even report back to Blizzard what it sees unless a match is found. Blizzard asks "Do you see or ." and Warden answers either yes or no. If you want to use a public service analogy, a better fit would be "Do you want the Police to search the bags of everyone boarding an airplane to make sure noone's brought any bombs (hacks) onboard?" I think the answer would be a resounding freaking yes, and if you don't like it, don't fly.

Re:ummm..ok

[Wingchild]

So, you would say it is ok for the Police to come search you house to make sure you have no drugs, stolen goods, kidnapped 3yr olds - anytime they want? Just because you are against druids, stealing and kidnapping doesn't mean that would be a good thing.

No, I wouldn't say that's a good thing - but the rules are different out here. In the US the citizenry is guaranteed a certain measure of privacy and protection from egregious law enforcement by way of the Constitution. We have Amendments that protect against unlawful search and seizure, we have Amendments that guarantee a certain due process, etc.

When you go to a foreign country, these rules do not apply. If you traveled to Spain, your United States civil rights would hold no water. You would be operating under the legal system of the region you were traveling into.

So what on earth makes you think that the rules that govern US law enforcement apply, in any way, to whatever virtual world it is that WoW runs under?

Blizzard built that environment from the ground up. They invested time, money, and countless man hours to make it into something real. They invited players like you to step in and enjoy their creation. Some jackasses feel the need to bend and break the few rules that exist. I feel Blizzard is entitled to end cheating by any means necessary.

It is their product.

As always, if you don't like how they enforce their rules, you are welcome to take your dollars elsewhere. Just don't make the mistake of thinking that you have some right to tell them how to run their show.

Spilt milk, but make some cheese from it

[Red Flayer]

FTA: "[The EFF] added that the Blizzard could get away with using The Warden because information about it was buried in licence agreements that few people read."

Didn't read the license agreement? Sorry, but that's not Blizzard's problem. It would be nice if Blizzard had made it more obvious that they would be doing this.

But you know what? Tough titties, you agreed to it.

That said, it's good that people are drawing attention to this -- maybe next time around, Blizzard will be faced with losing revenue should they try to implement the same kind of solution.

What MMORPGs need to do is implement better server-side analysis to identify cheaters. Difficult? Yes. Expensive? Yes. But probably less difficult and less expensive that losing craploads of clients, and hiring craploads of lawyers. Then they won't need to have the invasion clause in the license for their games.

Spread the word, and maybe we won't have to deal with this next time.

Re:nothing new

[stanmann]

Punkbuster, HL2, etc all made it clear up front what was going on. Warden was stealth/sleazed in under the radar. Sort of like the latest Sony DRM/Rootkit. IF they want to prevent cheating, watch for behaviour patterns, NOT software running on *MY* computer.

Re:Waaaah

[Clay Pigeon -TPF-VS-]

How about blizzard sucks because they can't write code that is secure enough to not require invasive anti-cheat measures?

Re:Not Again

[stanmann]

Why should someone getting multiple free trials be a problem?? The "account key" should be the distinguishing factor there. And a free trial that is limited to 2Gold and level 20 isn't likely to be abused by someone wanting to chain free trials.

Re:Not Again

[Anonymous Coward]

go buy a gamecard with cash and stop crying.

Re:I've been following this...

[Iriel]

Screw the quotes about what information it goes through. The bottom line is the cheat flags that it looks for and sends back. Here's the million dollar question for almost every application that gets flagged as having 'spyware'**

Do you want to play a fair game and a have a good time, or will tin foil hats get the best of you because you feel like you have big secrets to hide from the world?

** Yes, I realize that a number of those claims can be well founed, but a lot of it is just paranoia.

Re:Not Again

[Buzz_Litebeer]

People agree to this when they sign up for the service. This is the only method to stop cheating, and thats to be invasive.

The current top anti cheat for medal of honor allied assault is a third party program that makes the warden look like a freaking panzy on what it does.

It checks memory to verify there are no spyware signatures, verifies all files before they run, locks the files, runs its own explorer shell so that a person cant alt tab and run things. The game can only be executed within the context of the anti cheat software, the hardware is checked to make a key that can be bannable even if the person re-installs or reformats.

It locks the memory of itself, and the MOHAA software.

Even at that point it isnt good enough, it also launches two other executables with similar protections built in that check each other to make sure that none of the executables is being shut down or altered by an outside program.

People have to agree with this, because nothing else works, if you slip in one area, they write a cheat to exploit it. You slip in another area you get a cheat in another area. If you dont validate all files, even files with odd extensions, they write a kernal thingy that goes around it.

Cheaters have too many dedicated fucktards trying to ruin the games for everyone else.

When you sign up for World OF WarCraft, or use another type of anti cheat, you are saying that you agree to this kind of thing because you want to participate.

In sports, umpires can watch the players and make sure that they arent cheating, in on-line games the umpires have to get right on the computer. AS LONG as those people only use information required to successfully stop a cheater (IE they arent going in and finding out what programs you have installed in your registry and uploading your outlook e-mail book etc...) then what is their to complain about?

All of the stuff where it scans the URL of web sites, and views peoples MSn etc.. thats all tertiary to what its doing. It is scanning those because it is showing up as open windows processes, there is nothing for the anti cheat program to use to determine that the open windows ARENT cheats, until it checks there names to see if it matches the signature.

I dont think people realize just how clever cheaters can be. One of the cheats turned in for MOHAA involved using a bug with MSN and video drivers for ATI. If a notification was up, you could see through the walls!

Then people wonder at the lengths anti cheat software is beggining to take.

Hyperbole

[phorm]

Hoglund noted that the text strings in title bars could easily contain credit card details or social security numbers.

Since when would a site submit a URL in the title? I assume this is for sites which don't have a <TITLE> tag, and just display the URL as the title. Even in that case, any website that submits a document with such information in the GET string is asking for trouble. It would allow it, among other things, to be viewed in the document history etc.

We need to stop jumping every perceived violation. There seems to be a witch-hunt on for privacy/security violators, and often the assumptions of what 'could' create a security risk falls into the realm of pretty silly...

of vigilantes

[Iriel]

Whatever happened to the good ol' days of Diablo 1 online when I had to use a hack for the sole purpose of disabling everyone else's hacks around me?

Holy Grail 2

[moviepig.com]

A cheater-robot gets caught because it plays a game better than any human could... right? So then, the real challenge for a human player is to be mistaken for a machine... a kind-of reverse Turing test...

Re:I've been following this...

[alphaseven]

I'm a little confused by the spyware allegations, like the program is looking at what you're running, but so does a virus checker or task manager, are those spyware programs too?

Re:nothing new

[Zathrus]

Warden was stealth/sleazed in under the radar

Under whose radar? Blizzard announced that they were going to be doing this near the beginning of this year, and they've been reasonably upfront about it. There have been multiple forum postings as well.

IF they want to prevent cheating, watch for behaviour patterns

They do that as well. But, funny thing, guess which is more effective?

And, frankly, the amount of whining and tin foil hat complaining going on over this is just ridiculous. They do not expose any private data at any point in time. The sniffing occurs only while you are playing the game, it does not negatively impact any other programs, all "gathered" data is hashed and compared purely on the client side, and only if the hashed data matches a list of "known bad" hashes is an indicator (again, only an indicator -- not the raw, unhashed data) sent back to Blizzard.

If you want to complain, then complain about the possibility of false positives. Hash functions, by their very nature, do not ensure uniqueness. Multiple values will hash to the same value. I haven't seen a technical discussion of the hashing function, so it may be exceptionally rare, but it's still possible.

And no, I don't play WoW or any other Blizzard game at this time. And I'm not a fanboy. I'm just tired of people blowing this out of proportion -- it just dilutes the response against real privacy/security threats.

Re:Oh for pitty's sake.

[Dachannien]

and there is nothing morally wrong with using them

You agree not to cheat. Then you cheat anyway. What's not immoral about that?

NEVER trust the user input

[Spy der Mann]

This is what PHP programmers have known for a LONG time.

Just as you can hack some javascript to prevent validation, what makes them think we can't run some remote control software whose client happens to run on... *GASP* your own machine!

But what are they gonna do next? Introduce captchas into the game every 5 minutes?

No, sir. The answer is changing THE GAME RULES (the equivalent of validating user input in the server, not the client) so that quick advancement is not done. i.e. restrict repetitive training to N hours, and such.

Trying to control the client is nonsense.

Paranoia

[SilentJ_PDX]

Mr Hoglund noted that the text strings in title bars could easily contain credit card details or social security numbers. ... even though he knows that - in the astonishingly massive world of Windows commercial software, shareware and freeware - there's not a single program out there that does this.

Mr. Hoglund is an idiot.

Re:Not Again

[gstoddart]

A legit reason for a credit card is to make it harder for someone to just continue to get free trials by utilizing different e-mail accounts.

I have a hard and fast rule -- if I'm not actually paying you any money, I'm not providing you with sufficient information to subsequently bill me.

I absolutely will not provide CC information to use a 'free' trial. I also typically refuse to allow people to take moneys out of my accounts in the future without my interaction. You may send me an invoice. You may not just decide to take what you need.

But, I'm probably being unrealistic. Nobody would ever misuse that, right?

Re:ummm..ok

[Anonymous Coward]

well , unfortunately this information wasnt provided to me when i purchased this game.
so if i didnt agree with it, i have a worthless $50.00 USD game sitting here that I can't return, because no1 will accept software returns these days.

Re:You've missed the point

[Weaselmancer]

Well, I actually don't play the game so I haven't read the EULA. But I really have to wonder - does the EULA mention all the screwy stuff that this client checks? I'm guessing not since someone had to disassemble the sucker to find out what all this thing does.

Mind you, I'm not against it at face value. I just think that consumers should be able to make informed decisions. If the EULA says the client software will probe your IM and figure out your friend's email addresses and you install anyway, then no problem. But that's probably not the case here.

Re:Waaaah

[Silverstrike]

I seriously doubt that the problem is the security of their code. We're not talking about a program that edits your saved games (ie: like the "trainers" for single-player Diablo). They're trying to prevent programs from hijacking the keyboard/mouse control and automating the game.

Something like that can only be controlled on the operating system level.

Re:Not much of a challenge at all

[moviepig.com]

...if you get to be any good at all, people will all the time accuse you of being a bot.

I take your point. But people are easy to fool. The irony (re the Turing reversal) is to get a machine to think you're a machine.

Re:I've been following this...

[Taevin]

I think a major difference is one of expectations. When I install a virus scanner and tell it to look for virus, I have an explicit understanding that it is going to examine all of my files for traces of a virus. When I run World of Warcraft (or any other game) I expect it to be crunching numbers for physics, graphics, etc, not snooping around my system. Not only that, but the virus scanner will report back to me and will not send out data unless I explicitly agree to that. What makes these anti-cheat programs spyware is that they collect data, send it to another party, and perhaps most importantly, do so without first telling you that it is going to.

Re:Not Again

[dlt074]

"Nobody would ever misuse that, right?"

am i the only one with a credit card that has online fraud protection? i don't remember the last time i actually worried about my credit card number being stolen. every time i've disputed a charge that i didn't make or that i was not happy with, it was removed and i paid NOTHING.

there are plenty of credit card companies out there! use the competition to your advantage! credit card companies are one of the few places where you can still get good customer service.

Re:Not Again

[gstoddart]

You know, they have these things called disposable credit card numbers now... Create a number, set the limit to $0.01 and freely give it out for "free trials". Even if they try to run it, the transaction fees will put them in the red.

Not all banks/credit cards have these. So unless you go out of your way to get one, it may not be available to you. Some places have maglev trains, that doesn't make it a viable alternative for my commute to work tomorrow since there are none nearby. Simply saying "there exists something you may not have" is hardly a helpful suggestion.

And, the act of trying to track down a disposable set of credit card numbers means I'm getting ready to purchase from a bunch of vendors in whom I have no trust. My solution is not to find how I can safely interact with such vendors, but to stay the hell away from them in the first place.

But, it is true, that for a subset of all people with credit cards, there is a non-empty set of people who have this available to them. However, I bet more people don't have this available to them than those who do.

Re:Pertinent quote from "Terms of Use"

[ObsessiveMathsFreak]

I, for one, think Blizzard is doing something positive here, and the complainers are probably cheaters or farmers -- or non-players. Cheating ruins the experience for honest customers.

You're right. The benefits of not meeting the odd player expoliting holes in Blizzard's own software, far outweighs the essential complete annexation of your entire personal and private computer system by Blizzard entertainment, the creator of said exploits.

I could draw parallels to the whole War on Terrorism keeping us all safe thing here, but I think it speaks for itself.

Re:Spilt milk, but make some cheese from it

[east coast]

it's good that people are drawing attention to this -- maybe next time around, Blizzard will be faced with losing revenue should they try to implement the same kind of solution.

Actually, it may raise revenue because I, for one, like the idea. It's not real spyware and it's keeping some script kiddies from twinking. That's fine in my book and frankly I'd feel better about playing a game where the attitude of the host(s) was more "we keep a level playing field for our users" then the "we got your cash now, sucker. Get use to it."

As far as I'm concerned the whiners are complaing for a small number of reasons: they lost out in cheating, they want to cheat but fear the warden or they've fallen victim to FUD by the use of the word "spyware".

I feel no pity for these people.

Re:ummm..ok

[enrgeeman]

playing WoW isn't a public service either. Blizzard is a private company that have the right to ensure the safety(non-exploitation? I'm not sure of the word that would equate to safety in an online game) of it's paying customers.

Re:Spilt milk, but make some cheese from it

[Ibag]

"What MMORPGs need to do is implement better server-side analysis to identify cheaters. Difficult? Yes. Expensive? Yes. But probably less difficult and less expensive that losing craploads of clients, and hiring craploads of lawyers. Then they won't need to have the invasion clause in the license for their games."

I'm sure that there are lots of things that Blizzard does server side to detect cheating. The problem is, their view of cheating is broad enough that it cannot be completely detected server side. Consider the following (real) example:

During the WoW Beta, in game fishing was fairly easy to do. It was so easy, in fact, that people were able to completely automate the process. So Blizzard changed the mechanics of fishing so that you had to cast your line, observe a small splash if something got caught in your lure, and quickly click to reel your fish in before it escaped. People then wrote more elaborate fishing macros which had an external program constantly scanning sections of the screen for certain kinds of pixel changes that would indicate a splash. Blizzard then responded by slashing the prices of fished items that are sold to vendors. Macroing fishing went from highly profitable at a low level to unprofitable at all levels.

The point of all this is that macroing fishing was completely within game mechanics. Except for noting the time that someone spends fishing (which may or may not be a good indicator of cheating), there was no way to detect this "cheating" server side. But it was cheating. It caused a few people to create wealth for themselves with no effort, which leads to an imballance in other areas of the game (like equipment).

People are (almost) not stupid enough anymore to use hacks that would change game mechanics for them. They would get caught very easily and they know it. With very few exceptions, cheating in WOW is limited to botting. There are small differences between how a human might play as opposed to a decent bot, but I'm not entirely sure that it is the kind of thing that can be detected server side.

Do I want them scanning my computer? Not if it can be helped. However, if they are nice about it (reasonable disclosure, plus scanning only hashes and file sizes but not actual text, and not sending back any information that isn't absolutely necessary), it seems the best solution. Cheating is a serious problem in a game like this, and I'm not sure there is another viable approach to stopping botting.

Re:Not Again

[ildon]

If you honestly don't trust Blizzard with your CC number for a free trial, why on earth would you ever trust them for a paid subscription service? Your argument makes no fucking sense. You either trust a company with your CC number, or you don't. There is no "I only trust them if I want them to charge it".

Re:Oh for pitty's sake.

[Damvan]

Well, it is their game, so they get to decide what is cheating and what isn't cheating. Don't agree with them? Don't play. I am sure lots of professional baseball players don't think steriods is cheating either, but MLB does so it is.

Re:ummm..ok

[jp10558]

Ok, this is just specious:
Should I be expected to forfeit my original $50 and a years worth of subscription fees because they changed the terms?

What - did you suddenly lose the years worth of gameplay you already experianced? Do you call up HBO when they cancel a show you liked and demand a refund from the moment you subscribed with them?

I mean, you can stop playing the game! And stop paying for it.

I would hope people understand that subscription based games are going to be like any subscription service rather than like the old single player CD based games which were like books (sort of).

Of course, this among other issues is exactly why I have yet to buy or play a MMORPG.

Re:Pertinent quote from "Terms of Use"

[ObsessiveMathsFreak]

Your argument is coherant and persuasive in the context of the game. However it falls apart under the simple realisation that the integrity of your person, property and privacy is more important than your expieriences in an online game.

That is, if you want them to be more important.