A blog entry entitled 4.5 million copies of EULA-compliant spyware caught my attention while trolling through a few message boards this morning. It appears that World of Warcraft has some form of application present in it (or downloads it) that will search through your running programs and send hashes of information about them to Blizzard, in an attempt to enforce the EULA on cheating/botting in their game.

I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time.

Although it appears that these strings parse through some sort of hash routine, I went sniffing through the WoW EULA and found this in section 13. Acknowledgments (Section 6 basically being we can ban you if you violate these),

IN THE EVENT THAT WORLD OF WARCRAFT DETECTS AN UNAUTHORIZED THIRD PARTY PROGRAM, BLIZZARD MAY (a) COMMUNICATE INFORMATION BACK TO BLIZZARD ENTERTAINMENT, INCLUDING WITHOUT LIMITATION YOUR ACCOUNT NAME, DETAILS ABOUT THE UNAUTHORIZED THIRD PARTY PROGRAM DETECTED, AND THE TIME AND DATE THE UNAUTHORIZED THIRD PARTY PROGRAM WAS DETECTED; AND/OR (b) EXERCISE ANY OR ALL OF ITS RIGHTS UNDER SECTION 6 OF THIS AGREEMENT, WITH OR WITHOUT PRIOR NOTICE TO THE USER.

Now, I'm all for stopping cheaters etc, but what sort of details will they get ? What if it contains private/sensetive information (ie, credit card details) ? The methods of finding programs accessing WoW's memory would also flag something accessing it just to find out your characters names, or levels, which under the acknowledgements section of the EULA,

OR (iii) INTERCEPTS, "MINES," OR OTHERWISE COLLECTS INFORMATION FROM OR THROUGH WORLD OF WARCRAFT.

Is not allowed, but perfectly legal and reasonable.

Not that I actually play WoW, but there seems to be some sort of issue here on privacy and licences. Apparently if you agree to the licence to play, you have to accept the spyware and whatever else they package, even if it could involve the transmission of sensetive data. Another thought comes to mind, what about the anti-spyware law passed in California ? Not that I know much about that, but it makes for an interesting read.

I'm not sure how long this will stand without some sort of legal action (if that even), but I think this will cause a fair few people reason for concern when they follow the normal 10 Click next 20 Click agree 30 Goto 10 installation procedure. I know I for one will start reading a bit more to what I'm agreeing away my rights to.

Blizzard already had my credit card number while (and still do I guess) I was playing WoW ;)

I could see how that type of thing could upset some people, but for me I'd be happy they actually had some form of anti-cheat software running.

And the official response by Caydiem:

There’s some misinformation that’s going around in regard to the hack-scanning process (not a separate program) that we run within the World of Warcraft executable, so we’d like to take this opportunity to help clarify things for our players. First off, please note that our reluctance to discuss this issue is because in order to stay one step ahead of hackers, we have to be extremely careful in regard to what information we reveal about our security measures. Otherwise, we run the risk of revealing too much information and the hackers then being able to circumvent these security measures. This would of course defeat the purpose and leave World of Warcraft exposed to those relatively few unscrupulous players who want to cheat and ruin the experience for the millions of legitimate players.

Legally speaking, the scans are not a violation of rights. Understandably, that’s beside the point for the people who are concerned about our security measures. What those players seem to be concerned about is whether the hack scans are ethically appropriate. To address those concerns, we’d like to make it clear that the scan does not review or retrieve anything that’s personally identifiable. For example, the data that the scans read is not data that says, “This is John Doe’s computer. John lives at 123 ABC Drive, his phone number is ABC, his personal interests are XYZ, he has ABC friends, and he sent XYZ emails yesterday.” Again, we can’t get into what specifically it does look at, but we can say that all it tells us is whether a computer is hacking World of Warcraft. If the scan alerts us that hacking is taking place, we take action against the account, basically cutting off the access of that account to the game. Note that we have absolutely no need for any personal information from the player’s machine to take that action. That is, we can completely do our job and shut down a cheater’s account without gathering any personal data from his or her computer. Again, we have no use or desire for any personally identifying information that a player may have on his or her computer, and this particular security measure we have in place for World of Warcraft does not look at any such information on a player’s computer.

Some players have also raised the concern that this security measure slows down their computers. The process that World of Warcraft runs to protect itself has less of an impact on a computer’s performance than opening an all-text Web page or a single email.

As many players have noted, this security measure—designed wholly to protect the game itself and legitimate players from the actions of cheaters—is very similar to the security measures used by other online games for the same purpose. Punkbuster is one such example that players have pointed out. Our intent is not to deceive anyone—even those few players set on cheating in World of Warcraft. This is why we present the Terms of Use every time the game is updated and give players the choice of whether they want to play by the rules that we’ve established to keep the game fair for everyone. We would not want to lose any players over this concern, but ultimately, we feel we would run a greater risk of losing even more players if we did not provide for the game’s security. We hope that after carefully reading each updated version of the Terms of Use, players decide they want to agree to those terms and continue playing World of Warcraft. Hopefully this further addresses the concerns of those who have them, and we appreciate the support of the many players who helped to independently shed light on things for their fellow players.

As with any controversial or non-controversial topic related to World of Warcraft, we have no problem with players openly discussing their feelings about this issue in our forums. We do ask, however, that players with opposing perspectives remain civil and adhere to the Forum Code of Conduct, as we will continue to moderate the forums in accordance with that.

the data that the scans read is not data that says, “This is John Doe’s computer. John lives at 123 ABC Drive, his phone number is ABC, his personal interests are XYZ, he has ABC friends, and he sent XYZ emails yesterday.”

Unless that is contained in one of your window titles?

That is, we can completely do our job and shut down a cheater’s account without gathering any personal data from his or her computer.

Seems to be a bit off the eula mark, which would send ->

DETAILS ABOUT THE UNAUTHORIZED THIRD PARTY PROGRAM DETECTED

Although rather vague, could possibly contain private information. I didn't look hard, but they never say they don't share this information with third parties.

An interesting comment on rootkit.com is to have the name of a WoW hack in your MSN nickname, then message people while they're playing WoW, which may flag something on the "hack-scanner".

The points of the article were mainly around privacy rather than legality, because you agreed to their monitoring.

I'm assuming it does more than just check the titles of windows, or it'd be pretty easy to make a hack which just doesn't create a window, or creates a window with no title.

And I think its a bit of a stretch to consider your list of running programs "personal information". If you're that paranoid about someone knowing what processes you have running, then you're probably doing something wrong anyway.

yep totally agree with Khel
omg someones looking at the name on my msn window oh noes!
sif have your name as a wowhack anyway thats just dumb

not attacking you eXemplar, just the comment on rootkit.com

If you're that paranoid about someone knowing what processes you have running, then you're probably doing something wrong anyway.

not to derail, but thats a pretty bad attitude to have. It's like the classic one:

"The police should be able to randomly enter peoples homes and search them.I mean, you would only object if you had something to HIDE, right?"

I'm not sure how civil liberties extend onto the internet, and i realise that you do agree to the terms and conditions when you install, but i do still think that it's an invasion of privacy and is ethically wrong.

I don't actually play WoW, as I said, but I was more interested in the privacy side of things. No where in the EULA does it state what Blizzard will do with the information if they do suspect you of cheating. And privacy, even though you agree to those terms to play the game, does it really make it legal, or on a lesser scale right ? I'm not to sure as to spyware and privacy laws, but this is what made me think about it. Most people who signed up for a WoW account probably had no idea this was happening.

Yeah, tbh I trust Blizzard and know that they wouldn't do anything suss with what they collected, plus I have nothing to hide. However, it's kind of like signing a piece of paper that says "I give blah blah permission to kill me"; although you signed the paper allowing it, doesn't mean it's not illegal or unethical.

Still, don't know if I would have done it any other way if I was Blizzard, cheating ruins s*** for everyone. Like they said, they've got millions of ppl to keep happy, and they need to implement something to maintain their universe.

average WoW user installing WoW:

OMG OMG I'VE GOT WoW
*puts cd in*
NEXT
NEXT
NEXT
NEXT
OK
OK
NEXT
OK
NEXT
INSTALL ALREADY!!!!!!!!!!!!!!!!!!

*spends 5 days leveling*

"The police should be able to randomly enter peoples homes and search them.I mean, you would only object if you had something to HIDE, right?"
I'm not sure how civil liberties extend onto the internet, and i realise that you do agree to the terms and conditions when you install, but i do still think that it's an invasion of privacy and is ethically wrong.

Someone busting into your house and someone scanning your list of running processes can't really be compared though can they. I dont see how your task list can be considered "personal space" and someone else seeing it being considered an invasion thereof. The way I see it, its closer to the equivalent of department stores asking to look in your bag to see if you stole anything.

What about if you compared it to a guy who busts into your house and checks your PC for running processes? :)

I dunno, I just cant bring myself to keep the kind of information on a PC at home connected to the net that could be seen by others anyway. If I had to use myob/quickbooks or have that type of information on a PC it wouldnt be the same box that I'd play WoW/use to browse the net etc anyway.

The way I see it, its closer to the equivalent of department stores asking to look in your bag to see if you stole anything.

It seems closer to the department store comprehensively checking through your bag and reading/scanning through all of your receipts, credit cards, even your mobile phone contacts, diary, etc, for evidence of current or past theft, but only recording whether you have stolen something or not.

The point is, a couple of those scans are valid, but still .. a full scan is made regardless of how much data is sent "back to base".

I have very little to hide, and most of my 'personal information' is absolutely useless and boring, but I'd have a problem with giving a company full, EULA-agreed access to my data like that. That's probably why I don't run much proprietary software anymore :)

last edited by parabol at 08:15:27 13/Oct/05

But they aren't checking personal information, as far as I understand it, they're checking your running processes to look for hacks? So the question is, do you consider your process list personal information, and I'd have to say, I dont.

parabol, I think I'm gonna have to side with the Sorbo's bish on this one. Retrieving a list of currently running processes is hardly a deep scan of a computer.

It doesn't just retrieve a running list of processes, it will also delve into the memory of that process. Granted what it sends to Blizzard to check will be hashed and whatnot, when it detects something that matches something flagged as a hack (who knows how it flags stuff as 'hacks', Blizzard is rightly keeping closed on that issue) it will send information about that program to Blizzard. Sure, that may not contain anything, and sure it may all be encrypted, but what if it isn't? What will they do with the information they gather about running programs? When I looked, nowhere was there any agreement prohibiting/allowing that.

Now I'm sure Blizzard is trustworthy, and I'd be happy to sign that agreement to let them monitor me. But what sort of precedent is this setting for other applications ? I'm sure this won't be (or isn't) the first program that monitors outside itself for anything violating the rules laid down by the authors/distributors, but I had always gathered there was rights protecting users against such intrusion. If there isn't anything prohibiting it, why doesn't everyone do the same ?

last edited by eXemplar at 17:06:27 13/Oct/05

as far as I understand it, they're checking your running processes to look for hacks?

I think it's more complex than that, otherwise ALL hacks could just get away by generating a random process name.

Blizzard already said (in the huge quote above), that they can't make public what measures they go to, to prevent hacks. Hence they could be looking through -anything-. You'll never know unless you run an I/O tracer.

I'd like to imagine that it's all safe, but considering Blizzard's previous brushes with personal information (I can't remember which game caused the previous controversy), I wouldn't blindly trust them to be looking out for OUR interests.

For example, let's say they DO somehow collect personal information (intentionally or not) and don't do evil with it. Then what happens if their servers get hacked and the information is stolen. In the U.S, many universities got hacked, with social security numbers and names copied. Even if you trust a company/institute with your information, a security breach will be very bad (tm).

last edited by parabol at 17:28:14 13/Oct/05

upon installing the new battlefield pacth norton picked up some trojan thing which i blocked dunno if it was similar.

Security professional Bruce Schneier has dubbed this as spyware: "This is a program designed to spy on the user and report back to Blizzard. It's pretty benign, but the next company who does this may be less so. It definitely counts as spyware."

Yer it is spyware, however it is somewhat nessesary for strong anti-cheat pow0r!

My question is, do they store all the information they gather? Or do they delete it once it 'passes'?

Hacking is detectible in otherways then watching whats running.
Its a cop out, and one that won't work.
They need to be able to detect cheats server side. ie. Don't send data to clients unless they can get it through the default client. Don't do any client side processing, client sends commands to server, server checks its possible and then does it, then returns output to client. Same with checking for speed hacking.

ShowEQ and Odin's Eye are proof of where there is a will there is a way, and that basically you don't want to have anything being processed at the client end.

But quite often making as much as possible server side is unrealistic because it puts too much of a strain on the server resources.

Its realistic ... They just choose not to.

On the contrary many of these problems do not pose a linear difference when the number of people increase. Another problem is the lag difference between the server and the player making some actions impossible to run server side.

Take player movement as an example. That is completely done client side, proven because you can get hacks that can teleport you or increase run speed. Why not make movement server side? Because could you imagine how horrible the game would play if when you pressed forwards you had to wait 400ms for your character to respond? So blizzard put in server checks, but they don't have the option of making it server side.

Movement is fair enough .. but its easy to do random checks to check for hacking server side.

Don't do any client side processing

Unfortunately it's not quite that easy, there needs to be some client side checking. The hacks that you need to protect yourself in games like WoW are not anything like speed/teleport hacks etc, but ones that play the game for you.

I've seen a bot which will interact with the WoW client, and you are able to write scripts which will make it look like you're performing the actions whereas it's actually the bot. Nothing is processed client side, but all the actions are cheated. Although repetetive actions would be relatively easy to detect, with a bit of skill (and with the repetiveness of levelling etc) it'd be a lot harder to catch someone unless they were singled out while not watching the client.

last edited by eXemplar at 14:41:54 14/Oct/05

They do have checks for run speed on the server. The wind rider bug sometimes catches people out, because you can run around after the bug happens on the bat (or whatever) and the server detects this as a speed cheat.

Bots would be impossible to detect server side because they try to use the program like a user would, through mouse clicks and button presses.

Sending too much information has been a problem with WoW. On release you could get enemies levels even if they were 10 levels above you etc.

What does ShowEQ do?

Who cares?

You would have to be a pretty strongly principled person to make this stop playing a game you enjoy and I think Blizzard knows this.

have you got a 6 month post limit or something?

haha

The predator stalks his thread until the time is right to...

POUNCE

Ahaha doob!

ffs predator you gronk

reviving threads this old gets you killed

Me think's he's trying to raise his post count.

yeah lets keep posting to keep it alive:)

the data that the scans read is not data that says, “This is John Doe’s computer. John lives at 123 ABC Drive, his phone number is ABC, his personal interests are XYZ, he has ABC friends, and he sent XYZ emails yesterday.”

Hahaha, except it does tell them which account it is.
Which, contains your name, credit card (assuming CC payment), address, city you live, postcode etc.
So essentially, it does point them to "this is john doe's computer".
Assuming they didnt use totally fake details upon account creation.

[edit] Gay, I didn't read the last few posts and didn't take note of time stamps.
Predator you thread reviving homo =]

Bots would be impossible to detect server side because they try to use the program like a user would, through mouse clicks and button presses.

For sure, I used a fishing bot when I played to get 300 fishing and also to get deviant fish (just line each slot in yoru bag with one deviant fish, set it up and go).

Best place to get them was in this tiny little corner in uhm, crap I forget the dungeon name - near X-Roads. Before the instance portal anyway; was a tiny corner that was obscured from view and hard to see, so hard to spot me fish botting anyway... oh plus auto-response bot on whisper :P

Was able to make bazillions of gold by doing this O/N and selling hordes of deviant delights and cheap prices.
Evis and I did advertising schemes of getting guildies to get together all as pirates/ninjas and dance around in big groups of 20, trains etc. people would go to AH and buy up the deviants to join in.

I never got caught doing it :)

Anyway, since we don't play nor do that little "cheat" anymore, just an idea for anybody who's still playing that POS game who's willing to risk it to make an assload of gold when not even at the keyboard :P

last edited by Loki at 20:01:56 13/Apr/06

Best place to get them was in this tiny little corner in uhm, crap I forget the dungeon name - near X-Roads. Before the instance portal anyway; was a tiny corner that was obscured from view and hard to see, so hard to spot me fish botting anyway... oh plus auto-response bot on whisper :P

Was able to make bazillions of gold by doing this O/N and selling hordes of deviant delights and cheap prices.
Evis and I did advertising schemes of getting guildies to get together all as pirates/ninjas and dance around in big groups of 20, trains etc. people would go to AH and buy up the deviants to join in.

Thats awesome.

Heh yeah soz bout the revive, I was using the sarch function to find something and when I found it forgot to go back to the first page so started replying heh.

Post Count? Er yeah, considering I've been registered for 5 or 6 years now if it really mattered to me don't you think I'd have a crapload more?

If only I could remember the password to my original account :(

hmm, how bout an autolock after a month or something if people are really against revives? Then again it could be kinda fun just banning people heh.

last edited by Predator at 22:58:10 13/Apr/06