Pages

Sunday, July 11, 2010

What Blizzard Doesn't Want You To Know - Part 4

Argument #3: Blizzard’s systems are foolproof, it’s impossible to compromise their database.

"To date Blizzard's systems have not been compromised at all. They are absolutely vigilant about their systems 24 hours a day. They have teams in place to monitor this every single second of the day."

Really? Come on.

I have to roll my eyes every time someone makes this comment, and I think it would be insulting to the intelligence of you readers if I were to link to any of the millions of research papers that address this silly misconception. In any field, security is actually a degree of security.. several measures and processes need to be implemented in order to further protect an asset.

Speak to anyone in IT / Security circles, and they'll all tell you the same thing: nothing is foolproof & nothing is perfectly secure. The Martin Fury internal affairs investigation comes to mind. And, the WoW Authenticator was also once described as fool proof.

Since I'm specifically interested in public Blizzard information, though, let's take a look at something that their official representatives have to say on the subject:

Here are the most interesting take-away's from this post:

"To date, Blizzard Entertainment has not been compromised"
"an inside job is not easy to perpetrate"
"in addition to oversight, there are substantial and multi-layered safeguards in place"
When the OP wrote "All I'm expecting is for people to at least open their minds to the possibility...", Malkorix's response was "When logic is applied, I'm afraid that is is your presumptions that are ruled out =/."
"Of course no system is perfect - but that's why there are multiple layers of protection."
"Regardless, while I'm not in a position to determine the precise origin of your compromise"


To summarize what was said:
"An inside job is not easy, but also not impossible."
"Blizzard has not been compromised, but no system is perfect and I wouldn't know if it happened or not anways.. I'm not in a position that allows me to access those details."
(Holy contradiction Batman!)

GMs, phone support, and CS Forum Representatives (such as Malkorix) don't operate in the same circles as the finance, IT/Security, and investigative teams. Investigation details are above his pay grade, and private information in regards to breaches or fraudulent activity within the company are kept private and confidential. I guess you could call this "plausible deniability" - no GMs/Forum reps are aware of any fraudulent activity, hence "to date, it's never happened within Blizzard." =]

Finally, here's a another tid-bit of information from Snowfox that explains "foolproof" systems:

Breaches, theft, fraud, employee terminations, employee health details, data loss / outages, system crashes, employee issues, assaults, investigations, etc. are all private and confidential information internal to every company. Unless there's a law requiring so, no company will ever publicly release this information.

You can learn a lot about a company though, by who they employ and the types of skillsets that they're looking to hire.

Now, remember how Blizzard flat out stated that "To date, Blizzard Entertainment has not been compromised"?

Ignoring all of the major security breaches that has taken place within all of Blizzard's games (maphacks, speedhacks, leveling exploits, bots, boss bugs, item exploits, xyz hacks, etc) and the variety of applications that can emulate Battle.net servers, let's look at security of their websites and databases. (If all of their games have been hacked, why should their applications be any different? But for some reason, most users still claim that Blizzard security is foolproof.)

Multiple breaches have occurred, however in each instance Blizzard made no announcements whatsoever. Instead, they were picked up by public new sources and Blizzard quietly swept the issue under the rug.

- On Jan 3 2001 the Diablo 2 Player Database was breached. Hundreds of thousands of accounts were deleted, and Blizzard had to recover 2 week old data from older backup systems because the normal backup database was also hacked.
- On Oct 7 2005 Battle.net was defaced.
- On May 19 2006 Blizzard's European WoW webpage was defaced.
- On Nov 26 2006, Blizzard's Starcraft webpage was hacked.
- In Sep 2007, the Warcraft.net and Battle.net webpages were hacked and defaced by an Algerian hacker.
- This happened again on Nov 16, 2007.
- Sometime before March 7 2008, a Korean user installed key logging software internally on Blizzard's network, allowing him access to server and personal information. Many accounts (possibly thousands) were breached, and the personal information (names, address, passwords, etc.) was used to hack accounts (for stealing items/gold) and sold on the black market.
- On Sep 25 2008, Blizzard employee accounts were hacked and the Battle.net forums were breached (Another). Apparently a few months before this incident, employee accounts were also hacked and keyloggers were posted by "Blizzard employees".

Note that the posts were requested by Blizzard to be removed? (more "Reputation management" as mentioned before.)

- In November 2010, as you're all aware by now, a senior Blizzard manager leaked confidential sales information, global subscriber database details, release schedule, marketing and media plans/budgets, internal financial documents, etc.

I think those instances definitely prove that Blizzard has indeed been compromised. And these are just the ones that made it to public internet sources, who knows how many other breaches there have been or how many others Blizzard has requested to be removed?

Note: On sc2pod, if you keep reading you'll see that there have also been other posts that Blizzard has ordered to be removed. Blizzard apparently has staff that monitors webpages and forums to control perception of the company (even Wikipedia is probably closely monitored by Blizzard).