Showing posts with label hacks. Show all posts
Showing posts with label hacks. Show all posts

Unrealized Reality of Diablo 3 -- Part 1

Posted by Dave On Saturday, August 13, 2011

Players grumbling about the persistent online-only requirement for Diablo 3 are being encouraged to "just grab the crack" to play offline. It sounds simple enough, but they're assuming that D3 is similar to Starcraft 2. :)

Starcraft 2 is considered an "online" game, but that's only for authentication DRM. SC2 has all of the level design, maps, single player missions/campaigns, and assets built right into the game and it was designed to be playable offline. That can be cracked.

Diablo 3, however, is more like World of Warcraft but also a slightly different creature.

World of Warcraft and Diablo 3 both come with all media assets, maps, and levels built into the game. But, movement, player development and the characters themselves are controlled and stored on the server.

I think some gamers just haven't realized this. A "crack" will be possible eventually, but it will actually come in the form of an emulated server that will take weeks or even months to implement. Diablo 3 simply can't be played offline. Everything about your character is controlled by the server.

In World of Warcraft, all of the maps and levels are static (fixed). But in Diablo, the dungeons and levels are dynamically generated. It hasn't been mentioned in any interviews, but it's the SERVER that creates these random maps, random dungeons, random event scripting, mob locations, random NPCs, and vendor items for sale. The server might even control boss AI. All of this data is transferred to your client.

The game has been designed from the ground up for the server to generate all of the random content in the game.

We'll learn more soon enough (Diablo 3 beta invites next week), but because levels are randomly generated this makes botting, teleportation and speedhacks much more difficult. To conserve bandwidth, not all map data is going to be transferred to the client at once. I'm assuming that the map data will be transferred as you move throughout the world.. that is, the world is created around you (and cached) as you explore. If you jump too quickly to an area beyond an acceptable range, it makes teleportation and speedhacking very easy to detect. Imagine it like an invisible circle surrounding you.. it only caches land at its outer perimeter as you explore. The game code allows for a certain amount of flexibility, but if you go beyond its borders too quickly, it knows something is wrong. Movement tracking in D3 is more 2-dimensional too as opposed to World of Warcrafts 3-dimensional character location (making internal calculations and hack detection algorithms that much easier.)

(** Update: Here's an example of what happens when random map data created by the server isn't transferred quickly enough to the client. Local model editing for the purposes of world building or area changes, like in WOW, is not possible on live Diablo 3 servers because of this new system. However, the fastest way of getting an emulated server up-and-running is to simply create static maps and fixed weapon and item drops. It would be very easy to capture one randomly generated map, for example, from the live beta server and just use that as the template for the emulated server. So yeah.. the fastest way to "crack" the game is just to remove the random generation.)

It's easier to cheat in World of Warcraft because "explored land" is fixed and always there. Diablo 3 randomly generated terrain is more tricky though as you're now beginning to realize. :)

It's actually quite brilliant for both hack detection, preventation of botting (which relies of pre programming pathing), and DRM. It ensures that everyone buys the game once they realize "it can't be hacked" at least in the beginning.

And, Blizzard is not going to share this information with anyone. Why? Because when the game comes out, no one will be able to create an offline crack for it. Everyone will assume it's uncrackable and not realize that an emulated server needs to be constructed first.

"Dude. This game is like uncrackable.. there hasn't been a crack for weeks now and everyone's been begging for one. I'm just gonna go buy it."

During the beta, however, some clever programmers will start building a server emulator.. so if Blizzard can roll out the retail very quickly, they can hit retail a long time before the first B.NET emulators hit. They also have legal precedent on their side to combat B.NET emulators.. remember BNETD? :)

This is a great form of DRM, since it's not "persistent online authentication style DRM" that can be cracked but more like WoW with server generated levels and maps. It will eliminate piracy, at least in the beginning, and generate even more sales than an offline capable (aka "crackable") Diablo 3.

If you step back and look at all this holistically, you'll see some connections happening here.

* Only the server generates random content and stores the character, so the game client must be connected at all times.
* In order to crack the game, a server emulator will be required.
* They don't want users to know this until it's too late (e.g. they bought the game, emulated server comes out months later).
* Blizzard already has legal backing to prevent the creation of a server emulator.
* Because terrain is randomly generated, it makes teleportation and speedhacking much more difficult. Botting is also more difficult since pathing changes with each game session.
* The online-only component allows Blizzard to implement paid auction houses, and because of their immense popularity they can create a new standard for other businesses. Not only for RMT, but also their online-only approach.
* Any single player game can be redesigned so that a server is required to transfer simple on-the-fly content.
* While other game developers will be "indebted" to Blizzard, this opens up more business opportunities for their new 3rd party RMT partner (PayPal?).
* This RMT scheme also makes the Titan MMO RMT surprises much easier to accept when it's finally announced. Titan RMT will be D3 RMT v2.0. If Titan were announced today, I think there would be a LOT of angry people. D3, though, will get their feet wet and ease them into this new business paradigm.

Blizzard has some really smart people working for them.

I can't believe I missed this!

Remember that MTV interview where Blizzard was shocked about the fans reaction to the Diablo 3 persistent online requirement?

Well, Robert Bridenbecker also stated that by implementing these online requirements:

You're guaranteeing that there are no hacks, no dupes.
Let me repeat that. The Blizzards Vice President of Online Technologies just said that they're GUARANTEEING no hacks and no dupes because it's online.

I have no words for this.

Diablo 3 Duplication Exploits

Posted by Dave On Sunday, August 7, 2011

I will be creating some blogposts about gold/cash making in Diablo 3. The new RMT system really interests me, so I'll be jumping right into that. It will be easier once the game comes out, of course, but for now I already know of some sneaky (and currently unpublished) methods. Most of them will be legitimate methods of gold farming and I haven't decided yet whether to create the more shady guides. :)

But first, there's something I need to get off my chest.

If anyone ever says that World of Warcraft has never had duping or that Diablo 3 will never have duplication exploits because WoW has never had them; I am sorry, but you are completely wrong.

Anyone who believes this is;

* Misinformed and they believed it without question
* or, they don't know for sure but go with the flow
* or, they only read official Blizzard press releases and didn't read other WoW news sites
* or, they never read the forums
* or, they know it happened but they drank the blue kool-aid, pushed it into the back of their memories, will only say positive things about Blizzard, and will try to convince everyone else in their beliefs.

Diablo 3 will have dupe exploits and tricks as well, I have no doubt in my mind. Item duping, gold duping, point duping, or stat duping (e.g. stacking of stats).. users will always find a way.

Blizzard has a great team of programmers but a lot of these exploits slip by. They have a limited quantity of QA Testers, and besides, they are tasked with testing the gameplay, quests, and bugs that appear in normal gaming sessions for the casual player. They don't sit there with WPE trying to exploit the game.

Exploits are discovered over a long period of time and after thousands of players have played the game and stretched the variety of gameplay in ever which direction.

Unfortunately, most gamers believe "Diablo = Serverside = no Dupes/Hacks". I am completely shocked by the amount of players who believe this. Wikipedia and even wowwiki even have "duping" articles because they're so common. Please, question everything.

If anyone every does tell you that "wow duping never happened", just send them a link back here. Below are some examples of item duplication exploits and tricks that have taken place on the official World of Warcraft realms.

* From 2004-2005 [LINK 1] [LINK 2]

a. Player 1 hands player 2 a large amount of gold
b. Player 1 goes into the instance. If the bug works, he/she will get kicked back out after a delay.
c. Player 1 will have the original amount of gold he had before he traded and player 2 will still have the traded gold he received as well.
d. Rince and Repeat
* They extended maintenance in late July to fix the dupe exploit that had been around since beta. [LINK]
* After this issue was fixed, players found out another method by fearing players (or mind controlling them) into bugged instances and duped items and gold again. This method still worked in TBC.
* From 2004-2008 [LINK 1] [LINK 2]
Trade equipment with another player, make a character with an inappropriate name to have it reported and reset or con a GM. Policy exploitation could also be used by claiming hacks, and having the account reset. All items/gold duped.
* From 2004-2010 Trade gold/items with another player, have the character rolled back to the state before the trade by entering bugged instances, realm reset exploits, or GM request.
* 2004-2009 Duplication and control of disenchants by filling up bag slots, cancelling, and trading items.
* 2004-2010 Recharging items with limited charges by re stacking items with newer timers.
* 2007 Guild Bank rollbacks.
* 2008 Rolling BG instability issue, causing players to DC and rollback (trade items first).
* 2004-2006 Auction House duping. Players were duping nexus crystals mostly, but any item could be duped. You would place multiple items in the Auction House as quickly as possible. As soon as the first item expires, you cancel the rest of our auctions. You would get back all of the cancelled items (20 crystals) and you would also get back the "expired items" (19 crystals.) That's 39 Nexus crystals duped from 20 posted.
* 2004-2005 Warsong Badge Dupe [LINK]
* 2010 The loot bag duping trick for infinite Justice Points [LINK]
* 2010-2011 Non-combat pet dupe exploit.
* 2011 Daily quest duping by exploiting the time zones of shared instance servers to reset timer.

And remember.. these are just the ones that made it public because they were so exhaustively exploited. How many dupe exploits are there that only a couple, very cautious, people know about?

Gold Seller Ad's on Official WoW Forums

Posted by Daeity On Tuesday, August 31, 2010

This is actually a little bit of history which I'd like to preserve on the blog.

Back in late January 2009, Blizzard's advertisements were accidentally swapped out with Gold Seller ads. (Links: wow.com, cgenetwork.com, 1up.com)


Other than this one incident, I recall that it happened a few times actually: on BNet Forums, WoW Forums, and the waiting room of Diablo 2.

But in each case, most (if not all) news instances started to "disappear" and people later forgot. It didn't help though that threads were locked, forum entries were deleted, and Blizzard told sites to remove the news either.

So it's difficult finding information on these accidents now and it's something that Blizzard would prefer that you forget. =]

Reading over the forums, you'll see that Blizzard employees and players alike will all insist that "Blizzard has NEVER been breached. They've never been hacked. They have security measures in place that make them foolproof and 100% protected."

(Note: I never understood that logic so I simply chalk it up to "Blizzard Indoctrination". It's funny because if a game developer creates games that melt video cards and are full of bugs, cheats, issues that take years to fix, exploits, and can easily be hacked and exploited.. why would anything else they create be so different?)

Although employees insist that "To this date Blizzard has never been breached", in an earlier post I listed many cases of Blizzard database breaches, how Blizzard employee accounts have been compromised (and used to spread keyloggers on official forums), and other hacking activities. When the Blizzard employee accounts were compromised, Blizzard sent notifications to websites to remove the information ("Reputation Management"). And those were just the breaches that made public headlines! Who really knows how many breaches there have been?

Some of these are just accidents and "glitches" while others are major security breaches.

This has been going on for years, but it's obvious that it has been forgotten by most. That's why preservation is so important. =]

What Blizzard Doesn't Want You To Know - Part 7

Posted by Daeity On Thursday, July 15, 2010

While I was looking around for public Blizzard employee information, I came across an old article from wow.com called "Account security mythbusting."

It's a very entertaining read, you should check it out.

The article was written by Michael Sacco (Dec 31st / 2008) where he disproves various "myths" about the company due to his vast experience working for Blizzard Entertainment.

Here were my 2 favorite parts from the article:

MYTH: Blizzard's internal security has been compromised, which is why these notices have gone up.

Blizzard's internal security has never been compromised. If your account is compromised, it is your fault.

Take it from the dude who worked there--it's not Blizzard's fault that your account was compromised.

Myth Status: BUSTED
Wow! That's a very bold statement!

Although... he does mention "hackers" breaking into Blizzard from the outside. That's a different approach then what I was writing about. I don't think he considered internal theft. It's not called "hacking" if the employee simply copies-and-pastes customer details into an email. =]

Monitoring software would catch that, though, but there are more sneaky ways to escort information outside of the building. Excluding malicious activity, sometimes it's just accidental: employees leaving USB/laptops in their cars, media disposal policy is weak leaving recoverable data on harddrives, or backup tapes going missing.

Like I said though, no security is foolproof and there's no such thing as 100% security. It's simply Data Security 101.
MYTH: Blizzard Authenticators can be hacked, removed, or bypassed by a third party.

Myth Status: BUSTED
Blizzard Authenticators can be removed by social engineering means (he confirms a couple ways). As for stating that it's impossible for Blizzard Authenticators to be hacked or bypassed.. sorry, it did happen.

Encryption can _eventually_ be brute force cracked (so I try to avoid words like "impossible", "never" or "can't"), but after all that there's no point in encryption if there's a keylogger on your PC.

His article has a few other "myths" too, but they're irrelevant to my earlier posts.

The following is a little background on Michael Sacco by the way.

He was a Blizzard employee (CS Forum Representative for 3 years) under the name Belfaire. His previous work experience before becoming a Joystiq editor were:
  • Community Representative (1 Year 1 Month)
  • Team Manager (11 Months)
  • In-Game Support Representative (10 Months)
  • Retail Clothing
Nothing about internal affairs or IT security related positions in his past. (Typically, you're privy to different levels of information based on your pay grade and the circles you operate in.)

Also, from what I was told by Blizzard employees, the internal affairs positions were part of a very small and "elite" team, and you were selected rather than applying for the position. This team was also heavily discouraged from interacting with the other ("regular") employees due to their important responsibilities.

What Blizzard Doesn't Want You To Know - Part 6

Posted by Daeity On Tuesday, July 13, 2010

Those "Fraud Manager" job results are slowly disappearing from Google, so I took some screenshots before they're gone forever. :)

Screenshot #1
Screenshot #2
Screenshot #3
Screenshot #4
Screenshot #5

I'd like to keep atleast some evidence that they did at one time exist, especially because so many people said it didn't exist and then proceeded to insinuate that a Tin Foil Hat was needed. :P (Even with all of that other supporting documentation that I provided.)

Funny that Blizzard is suddenly removing all of those posts.. I guess my post must have hit a nerve somewhere? =] I don't think it's really that big of a deal though, I was just trying to make a simple point that no business is 100% secure and fraud incidents can either be internal or external.

Some were taking the post a little extreme, "It's a conspiracy!!!". But I think it's just because they've never heard of it before and don't realize just how common internal fraud is.

So to clarify: Don't worry, it's actually no big deal - this happens EVERYWHERE. You've just never been aware of it. =]

I've worked with several Fortune 500 companies and every single one of them has some form of fraud. Whether it's physical theft of office supplies, theft of credit card numbers, theft of virtual property, account details (for harassment purposes) or theft of company information (corporate espionage), it can happen and does happen. It also depends on the employee's position, moral character, security rights, skills and data that they have access to. (For example, a Billing Representative might have access to credit card information, but not virtual account details.)

"The U.S. Chamber of Commerce estimates that 75 percent of all employees steal at least once, and that half of these steal repeatedly. The Chamber also reports that one of every three business failures is the direct result of employee theft. According to the U.S. Department of Commerce, employee dishonesty costs American business in excess of $50 billion annually. It can happen in your company." Source)

Hell, even Mark Zuckerberg (you know, the Facebook CEO) bragged about reading private information and using the details for personal gain or entertainment.

There's no big conspiracy, this is all just stuff that happens in every business (but they don't want you to know about it).

  • No, Blizzard is not in cahoots with gold sellers.
  • No, this isn't a marketing scheme to sell authenticators.
  • Recruiting is not a perfect science and sometimes Blizzard may hire bad apples. It's hard to filter the good vs. the bad.This happens in every company.

What Blizzard Doesn't Want You To Know - Part 5

Posted by Daeity On Sunday, July 11, 2010

Argument #4: Blizzard does not employ fraud specialists or fraud managers, that's just conspiracy talk.

Here's my favorite Blizzard posting from Faizaniel.

Apparently, I am 'trying to make some kind of conspiracy theory about Blizzard recently having a job listing up for a "fraud manager".'

Faizaniel, by the way, is one of Blizzard's Most Valuable Posters (apparently #1 of all MVPs)! His position is described as someone who consistently answers Blizzard questions with accuracy and credibility. MVP's also promote constructive posting, are polite, they tell the truth, and that they're specifically chosen due to their strong knowledge. Interesting..

Anyhow, here's the official Blizzard posting for the job that doesn't exist. =]

Fraud Manager at Blizzard Entertainment
Location: Irvine, CA (Orange County, California Area)
URL: http://www.blizzard.com
Type: Full-time
Experience: Mid-Senior level
Functions: Finance
Industries: Computer Games
Posted: April 20, 2010

Job Description
Blizzard Entertainment has an immediate opening for a fraud manager with a minimum of five years experience in this type of position. Duties will involve investigating credit card accounts in order to detect and stop fraudulent activity while preventing chargebacks and consumer disputes. Additional duties include calling issuing banks and customers for transaction verification, reviewing account referrals for fraudulent activity, and replying to third party inquiries.

Responsibilities
Closely monitor fraud attempts and losses.
Regularly and proactively analyze fraudulent transactional data to identify previously unknown groups or individuals.
Identify trends, standard practices, and modus operandi of fraud groups and individuals.
Utilize advanced relational database, link analysis software programs, SQL and access to create and run queries to determine fraud trends, identify fraud rings, and link unidentified transactions and accounts to known fraudulent activity.
Monitor investigations and deal directly with law enforcement as necessary
Maintain standard reporting metrics and provide non-standard management reporting and metrics as required.

Requirements
Minimum of 5 years related experience, preferably within a corporate/private setting focusing on fraud prevention and investigation, Ability to maintain extreme confidentiality, SQL or other relational database query language skills, Excellent organizational, analytical, and written/verbal communication skills, Ability to work independently to achieve results, Basic technical understanding of data and data storage, Basic understanding of credit card processing flow, payment fraud, the travel industry, e-commerce, and the credit card industry, Strong project and time management skills, Proficient internet research, Excel, Word, Outlook, and overall PC skills, Successful completion of a background check

Pluses
Degree in criminal justice or a related field
Experience in e-commerce
Experience utilizing internal fraud tools, system/site administration tools, and CRS or GDS systems
Job ID: 933896
Apply on Company Website
(Google cached search still shows it as of this blog post date.)

The job posting was previously on the Blizzard.com Careers page, however it was quickly removed after my Reddit comment on this post regarding the position and what the job entailed. The posting was available on about 10 different (and highly recognized) job boards, and they were all posted at different times & dates. The "Fraud Manager" position was also posted 'new' on June 16, 2010 - however ALL references to this fraud manager position were removed just after my post. It's definitely eyebrow-raising.. I could understand if they expired automatically, but they were posted at different times and the fact that one job posting was pulled after only 2 weeks is highly suspicious. =]

At the time, I thought it would just be interesting to talk about the jobs available at Blizzard, and what that says about the company and internal operations. If I had known Blizzard was going to delete all references to their fraud-related internal investigations team - I would have taken more screenshots.

(FYI: There have also been postings for internal affairs and fraud specialists over the past year or so, in addition to the recent "Fraud Manager" job.)

Here are some other jobs that Blizzard has hired for in the past by the way:

* Facilities Manager & Facilities Coordinator -> hmmm, I guess that means their sites need to be managed (clean up, repairs, construction, etc.)
* IT Administrative Assistant -> IT Managers do a lot, and they sometimes need help
* Human Resources -> workers compensation, special needs, employee disagreements, personnel/HR related issues (assault, harrassment, etc.)
* Senior HR Generalist
* Company Nurse -> accidental injuries, general health management, emergency response, paper cuts, etc.
* Human Resources Generalist -> more HR related jobs
* Recruiter -> the ones who screen you first, first line of defense and IMHO one of the most important jobs in a company to ensure you hire the right people
* Specialist, Learning & Organizational Development -> internal training, company advancement, etc.
* Internal Affairs Representative -> monitoring the employees for fraud/theft/policy violations
* Team Manager, Internal Affairs -> managing, coaching, and approving overtime for the investigation teams

(Sources: Nerd Dungeon, Archive.org)

In the end, the point I'm trying to make is this: Blizzard hires individuals to fill a need in the organization. One of those needs is to prevent, monitor, and investigate fraud within the company.

Prevention involves implementing security measures and software to prevent fraudulent activities, as well as creating effective internal policies (with follow up enforcement and education.) However, monitoring and investigations (this is their job responsibility) are both POST-incident activities. In order to catch someone in the act (monitoring), you need see the incident occurring and action. If the fraud activity is not caught but there is evidence, then it's fully investigated (reports, logs, paper trails, speaking to users involved, etc.)

So, they are hiring Fraud Specialists whose duties are to investigate fraudulent incidents that have basically already taken place. Therefore, this isn't really a "preventative" position, as that would fall under the scope of InfoSec / IT Security / Applications Development.

Note: When there is a billing accident (e.g. Blizzard bills you twice), that's not corporate fraud - that's just a simple mistake. Once you alert a Billing Representative, they can quickly and easily revert the charges for you. Although some people care calling these billing mistakes "fraud", it's far from it.. the Billing Department fixes these, there's no need for a fraud investigation to take place. When actual fraud occurs there are two things that happen: internal fraud or someone external trying to defraud Blizzard. What's important to note, though, is that the "Fraud Manager" description does not mention working with Credit Card companies, but it does mention dealing "directly with law enforcement" and the utilization of "internal fraud tools and system/site admin tools."

One other interesting item is that one of the primary skills required for this job is the "Ability to maintain extreme confidentiality." This makes it very difficult to obtain information on the position, but here's a couple Blizzard employees I found that were previously in the Fraud department:

Ian Wynne, Fraud Specialist - Source: http://www.linkedin.com/in/ianwynne

Interesting notes I learned from Ian:

* the "Fraud Specialists" title is kept out of public eye, instead they are called "Billing Representatives" in official announcements & postings. (See "Reputation Management".)
* there are multi-millions of yearly loss due to internal fraud.
* there's a Global fraud team. (See "Data Breach Notification laws", based by country.)

Andrew Bellinger, Internal Affairs - Source: http://www.linkedin.com/pub/andrew-bellinger/a/209/867

Interesting notes I learned from Andrew:

* moving up quickly within the company, do I see senior management in his future? =]
* his job description was later updated to show "Internal Affairs work." Note, that's "internal affairs" not external investigations.

Additional details on Andrew show that his position is called "Internal Affairs, Account Administrator". Take note that he investigates internal employees for infringement of company policies. (Many people are still in complete denial of this, but it's very common practice in both Blizzard and other corporations - they need internal security teams to monitor their own employees for policy violations like theft of property or information.)

Patrick Nagel, Internal Affairs Representative - Source: http://www.linkedin.com/pub/patrick-nagel/20/3b4/986

Interesting notes I learned from Patrick:

* the "Internal Affairs" position involves documentation and maintenance of records about their internal employees.
* there are external information leaks, which he also investigates.
* there is large scale exploitation and collusion. This is actually pretty serious, and means that there are massive cover ups and conspiracies taking place within the organization (really though, a conspiracy is just 2 or more people working together to some end.)
* also note that large scale exploitation wouldn't mean the occasional player exploited the game.. this is large scale exploitation within the organization (ie, theft of information and exploitation of said information)
* there are internal investigations and reports of external impacts due to internal activities (e.g., fraud, theft & selling, etc.)

Stefan Modh, Internal Affairs - Source: http://ie.linkedin.com/in/stefanmodh

Interesting notes I learned from Stefan:

* he's on the Internal Affairs team that monitors Customer Support departments who are responsible for support WoW and SC2 customers.
* he works out of the call center in Ireland

Addendum:

- To the Blizzard employees reading this. I'm sorry guys, but as a result of this posting you may see more stringent policies regarding information that you can post publicly. For example, certain job titles can no longer be posted on LinkedIn, etc.

- Even with this overwhelming evidence, it boggles my mind that many people are still convinced that internal security positions within Blizzard do not exist, or they tell others that "internal affairs" means investigating players for hacking, botting, etc. It's normal for businesses to investigate and monitor their own employees, especially if they have access to account or credit card information. Anyone who has worked in a corporate environment knows this. Unfortunately, there's a false belief (complete denial?) that Blizzard employees can do no wrong. Were you aware that most "Blizzard" customer support staff are in fact outsourced to overseas call centers (ClientLogic / Sitel) where they're paid poor wages? Surprisingly, most players are not aware of this.

Click here to read the rest of the series.

Argument #3: Blizzard’s systems are foolproof, it’s impossible to compromise their database.

"To date Blizzard's systems have not been compromised at all. They are absolutely vigilant about their systems 24 hours a day. They have teams in place to monitor this every single second of the day."

Really? Come on.

I have to roll my eyes every time someone makes this comment, and I think it would be insulting to the intelligence of you readers if I were to link to any of the millions of research papers that address this silly misconception. In any field, security is actually a degree of security.. several measures and processes need to be implemented in order to further protect an asset.

Speak to anyone in IT / Security circles, and they'll all tell you the same thing: nothing is foolproof & nothing is perfectly secure. The Martin Fury internal affairs investigation comes to mind. And, the WoW Authenticator was also once described as fool proof.

Since I'm specifically interested in public Blizzard information, though, let's take a look at something that their official representatives have to say on the subject:

Here are the most interesting take-away's from this post:

"To date, Blizzard Entertainment has not been compromised"
"an inside job is not easy to perpetrate"
"in addition to oversight, there are substantial and multi-layered safeguards in place"
When the OP wrote "All I'm expecting is for people to at least open their minds to the possibility...", Malkorix's response was "When logic is applied, I'm afraid that is is your presumptions that are ruled out =/."
"Of course no system is perfect - but that's why there are multiple layers of protection."
"Regardless, while I'm not in a position to determine the precise origin of your compromise"


To summarize what was said:
"An inside job is not easy, but also not impossible."
"Blizzard has not been compromised, but no system is perfect and I wouldn't know if it happened or not anways.. I'm not in a position that allows me to access those details."
(Holy contradiction Batman!)

GMs, phone support, and CS Forum Representatives (such as Malkorix) don't operate in the same circles as the finance, IT/Security, and investigative teams. Investigation details are above his pay grade, and private information in regards to breaches or fraudulent activity within the company are kept private and confidential. I guess you could call this "plausible deniability" - no GMs/Forum reps are aware of any fraudulent activity, hence "to date, it's never happened within Blizzard." =]

Finally, here's a another tid-bit of information from Snowfox that explains "foolproof" systems:

Breaches, theft, fraud, employee terminations, employee health details, data loss / outages, system crashes, employee issues, assaults, investigations, etc. are all private and confidential information internal to every company. Unless there's a law requiring so, no company will ever publicly release this information.

You can learn a lot about a company though, by who they employ and the types of skillsets that they're looking to hire.

Now, remember how Blizzard flat out stated that "To date, Blizzard Entertainment has not been compromised"?

Ignoring all of the major security breaches that has taken place within all of Blizzard's games (maphacks, speedhacks, leveling exploits, bots, boss bugs, item exploits, xyz hacks, etc) and the variety of applications that can emulate Battle.net servers, let's look at security of their websites and databases. (If all of their games have been hacked, why should their applications be any different? But for some reason, most users still claim that Blizzard security is foolproof.)

Multiple breaches have occurred, however in each instance Blizzard made no announcements whatsoever. Instead, they were picked up by public new sources and Blizzard quietly swept the issue under the rug.

- On Jan 3 2001 the Diablo 2 Player Database was breached. Hundreds of thousands of accounts were deleted, and Blizzard had to recover 2 week old data from older backup systems because the normal backup database was also hacked.
- On Oct 7 2005 Battle.net was defaced.
- On May 19 2006 Blizzard's European WoW webpage was defaced.
- On Nov 26 2006, Blizzard's Starcraft webpage was hacked.
- In Sep 2007, the Warcraft.net and Battle.net webpages were hacked and defaced by an Algerian hacker.
- This happened again on Nov 16, 2007.
- Sometime before March 7 2008, a Korean user installed key logging software internally on Blizzard's network, allowing him access to server and personal information. Many accounts (possibly thousands) were breached, and the personal information (names, address, passwords, etc.) was used to hack accounts (for stealing items/gold) and sold on the black market.
- On Sep 25 2008, Blizzard employee accounts were hacked and the Battle.net forums were breached (Another). Apparently a few months before this incident, employee accounts were also hacked and keyloggers were posted by "Blizzard employees".

Note that the posts were requested by Blizzard to be removed? (more "Reputation management" as mentioned before.)

- In November 2010, as you're all aware by now, a senior Blizzard manager leaked confidential sales information, global subscriber database details, release schedule, marketing and media plans/budgets, internal financial documents, etc.

I think those instances definitely prove that Blizzard has indeed been compromised. And these are just the ones that made it to public internet sources, who knows how many other breaches there have been or how many others Blizzard has requested to be removed?

Note: On sc2pod, if you keep reading you'll see that there have also been other posts that Blizzard has ordered to be removed. Blizzard apparently has staff that monitors webpages and forums to control perception of the company (even Wikipedia is probably closely monitored by Blizzard).

What Blizzard Doesn't Want You To Know - Part 3

Posted by Daeity On Saturday, July 10, 2010

Argument #2: Blizzard is required by federal and state law to notify of data breaches.

This was a pretty common reply actually and I was a little bit surprised that people believed this. A quick investigation would have revealed the truth. But that's what this series is all about: awareness.

You see, data breach laws vary from state to state and some states don't even have legislation at the moment.

There's also no federal laws that regulate data breach notification. However, there are some that regulate the type of information that can be collected and levels of security recommended (really it's just helpful guidance). Since data breach laws in the US vary from state-to-state (if it has a law at all), each law may be drastically different in regards to what is classified as a breach, fines, reporting, what needs to be notified, who is notified, governing bodies, etc. As you can imagine some state laws are more flexible than others. And that's only if the data is physically located in the US.

Consider the number of corporations that outsource or offshore their operations overseas. Due to their location, they are under no obligation to report any data breaches that may occur. Here are some companies that outsource/offshore by the way: IBM, Microsoft, Oracle, Cisco, HP, Dell, Gateway, AT&T Wireless, Telus, Bell Canada, GE, and wait for it.. Blizzard.

Under current CA State Law, Blizzard would typically only need to notify the single person affected (no mass announcements) and that's only if they confirm without a doubt that the individual's information was indeed breached. HOWEVER, Blizzard is under no obligation or law that requires them to notify anyone.

The most important data breach component is the “trigger mechanism”. In California, the obligation to notify an individual of a security breach is triggered in the likelihood that the breach will result in a “serious harm” or involves a “serious risk”. The threshold of “serious harm” or “serious risk” is an external determination.

It is the internal organization itself, however, that determines what compromises a “serious harm” or “serious risk”. There is no external body that performs this function. Additionally, there is no requirement to report to an overseeing body nor is there sanction for failing to notify individuals of a security breach.

These risk assessments are determined internally, and there is no external body or even the requirement to report to said external body. A WoW Account being stolen would not be classified under "serious harm" or "serious risk" for the individual involved. Hence, Blizzard is exempt from data breach notifications. Even credit card theft would not be a trigger due to the low risk involved to the victim (unlike healthcare information.)

Data breach notification laws were primarily focused on the health care industry, government and educational sectors. There are other private organizations that report breaches, but it all depends on the type of data they keep. If you're interested in data breach announcements, check out Google.com/News -> Search for "data breach".

Now, if something
very bad were to happen, then yes - a large announcement would be made. The information would leak eventually so it's in the corporation's best interest as it would look very bad if they tried to hide the fact that some 200,000 accounts were breached. However, 50-200 account breaches per week is negligible and an official announcement is unnecessary and not required by law.

To summarize, under existing law Blizzard is under no obligation to alert the public, or even the individual themselves, in the event of an internal or external account breaches.

(Other Sources:
Senate Bill 1386, Senate Bill 1166, Federal Information Security and Data Breach Notification Laws, Do Data Breach Disclosure Laws Reduce Identity Theft?)

Addendum:

These sources also provided some interesting information on the subject of data breaches (identity theft) and a comparison of keylogging/phishing versus internal theft.

Identity Theft Causes (Internal Employee vs. External Keyloggers/Phishing/etc) From 3 Different Research Groups


Click here to read the rest of the series.

I received some really good feedback from the Reddit community from my post there. Here were the strongest arguments available and I'll go through each of them:

  • There is no increase in hacking of WoW accounts. Here's your tinfoil hat.
  • Blizzard is required by federal and state law to notify everyone of any such breach. Since there has been no notifications, no breaches have occurred.
  • Blizzard's systems are foolproof, it's impossible to compromise their database. They have layers and layers of security.
  • Blizzard does not employ fraud specialists or fraud managers: "I see a blog hosted on a free site with one post that seems to be trying to make some kind of conspiracy theory about Blizzard recently having a job listing up for a "fraud manager".
The point of my first post was simply to convey awareness of the types of jobs/careers at Blizzard (all public information) and the subsequent success and effectiveness of Blizzard's reputation management (ie, "Blizzard indoctrination of users"). Users should not always be blamed for their accounts being hacked - I just want to make it clear that it's not always the user's fault. There are a lot of factors that the general public is not aware of.)

Argument #1: There is no increase in hacking.

I haven't been able to find any official and clear announcements that confirm that there is no increase in hacking incidents. (Not that there ever will be any official statements from Blizzard.)

However, there are a lot of users claiming that Blizzard has confirmed multiple times that there has been no increase. (See "Blizzard indoctrination".)

There are plenty of blue posts that redirect the issue however - e.g. "We take these matters seriously. Please check your own PC. etc. etc." All of the responses are in accordance with their internal company policy (ie, kept as ambiguous as possible so as not to confirm or deny anything.) For example, they're not saying for a fact your computer is infected with keyloggers, but you should check your security anyways. =]

Just like any good business, Blizzard maintains internal records of ongoing investigations and issues. There are internal statistics that would show hacking/fraud trends, but this information will never be released by Blizzard - it's private and confidential. Why would they release this information and hurt their reputation and business?

Fortunately, there are other methods of obtaining data and trends. Consider this, what's the first thing an average user does when their account has been hacked?

They probably call Blizzard, post on their forums, but definitely do a Google search for available solutions.

Blizzard support lines are down due to severe load and WoW Forum posts do indicate an upwards trend (and questioning of this trend) of account hacking over the past few months.

But let's see what the pinnacle of human-behavior-tracking (Google) has to say:


WOW!!

That's some spike in the number WoW accounts being hacked.. and coincidentally, all within the same timeframe as mentioned by users on the forums. Google Trends/Insight can provide a great wealth of information, and in this case, has shown significant growth (an explosion if you will) of compromised accounts within the past few months.

What could possibly account for this quantity of accounts being compromised simultaneously, when there has been increased education and security of user's PCs/accounts and yet no changes in account hacking trends?

To also show that the increase in hacked WoW accounts is not directly related to growth in subscription counts (ie, user base), here's a chart that shows total WoW subscriptions from 2004 to June 2010:

(Sources: IB Times, MMOGChart, WoW Trends)

As you can see, WoW hacking incidents have increased while subscription levels have actually decreased or remained steady.

Does this not confirm that there is actually an upwards trend in hacking activities?

  1. Total number of players is decreasing.
  2. Increased education of users (security, scams, etc.)
  3. Increased security measures and new detection tools.
  4. Total number of hacking incidents is increasing.
Additional Notes:

Note the frequency of Blizzard's announcements regarding their customer base. They used to make an announcement quite regularly with each surge, but it's completely stopped for over a year now.

Although the authenticator is not flawless (man-in-middle attacks), I would recommend that everyone get one. An added layer of authentication is highly valuable, and significantly increases the security of your account.

* UPDATE:

I received a comment from Ty (****bluc@yahoo.com) who writes:

"My account was recently hacked for the first time, as well as a friend that had not played in months. When I called Blizz support, they did indicate that it may take some time to restore due to an increase in the volume of hacked accounts, recently."

So, there's another: Blizzard Support also states that there has been an increase in volume of hacked accounts.

* UPDATE:

In the original Reddit post, a user named "nattylife" even claimed that they worked for Blizzard and yet the individual has never heard of any security breaches within Blizzard. Really? There have been many breaches that have occurred in the past. These are just the ones that made it public and some news items Blizzard has issued C&D's for. And yet they've been completely oblivious to all of this? Does that mean that most Customer Support staff have no insight into Blizzard's internal security issues? It seems so, and I have also confirmed this from other sources.

Keep in mind, too, that a LOT of Blizzard's customer support is outsourced to call centers where information of his nature is unavailable.

Some of the feedback I received on Reddit (as you can see yourself) was a little disappointing. Unfortunately, this is a VERY COMMON issue on Reddit, where most users simply read the subject line and the first paragraph, and then say "WRONG!" without ever providing supporting evidence or research.

What Blizzard Doesn't Want You To Know - Part 1

Posted by Daeity On Thursday, July 8, 2010

Over the past several weeks, there has been an exponential explosion of WoW Account Hacking. Thousands of accounts that haven't been active for years are suddenly being logged into, with Unauthorized Authenticators attached to their accounts, while items and characters are being stripped down to gold and deleted. Even live accounts are being stolen from users who have ample security measures in place or are even IT/Security specialists themselves.

Blizzard's phone support has not been available for weeks at a time ("Sorry, call back later.") as well.

There are outcries from victims on WoW Forums, but I found it strange that in almost all cases the victim was being blamed for the issue occurring. All of the haters (whose accounts were perfectly fine mind you) were blaming the victim for not securing their PCs or not protecting their account properly.

Yes, this does happen.. but there other ways accounts (just like credit cards) can be compromised that have nothing to do with the victim, their surfing habits, or their PC. What was strange about this specific case is that there were a lot of unanswered questions about this particular "explosion" of account thefts.. why was it happening to really old accounts without authenticators? Why such a large amount in such a short time?

But then I noticed something strange happening. Forum posts that were asking too many questions or ones where the user had absolute confidence in the security of their system were suddenly being deleted or locked. Specific posts were being targeted and deleted (e.g. victim confirms no keyloggers or phishing attempts, or they blame Blizzard for the issue), while the posts where the victim was being blamed for the issue were being left behind.

My suspicion was confirmed when someone posted a link on the WoW forums to one of my old lurking grounds: Blizzard is having major problems right now: Account Database has been breached, thousands of accounts impacted so far.

Funny.. I remember Reddit for having intelligent and playful conversation, but overall grounded in common sense. Something had changed though since I was last there and many comments were simply divorced from reality. They regurgitated the same old crap that I saw on the WoW Forums - "It's your own fault for not securing your PC." It's as if sanity was thrown out the window and they were brainwashed.

But it actually made perfect sense! And here's why:

Corporations are all the same (you'll know this if you've ever worked in one.) Blizzard is a corporation just like all of the others, they have internal squabbles, power plays, brown nosing, office politics, HR issues, sexual harassment, fraud/theft, etc. Every corporation goes through this, the bigger they are the more issues they have.

Note: Check out Glassdoor.com & Jobvent.com Blizzard Entertainment reviews if you want to hear from the employees themselves.

And what you probably already (should) know is that Blizzard works very hard and spends millions of dollars to control company perception. They're religious zealots when it comes to reputation management and they are so successful, in fact, that most gamers live under the impression that Blizzard is a mystical entity that's completely immune from problems. Not many companies can pull this off.

What people forget is that Blizzard employs (just like everyone else) Human Resources personnel, security, IT Security, and Fraud Specialists whose specific duties are to monitor and investigate internal employees for credit card theft and user account fraud (ie, unauthorized access to users' account details).

Understand that it can be quite difficult (almost impossible) for email/phone Customer Support, CS Forum Representatives, and GMs to access information. However, it can be quite easy (depending on skill level) for IT Support Staff, Database Administrators, Finance/Billing to access billing and gaming account information if they were so inclined.

You can learn a lot about a company by the careers/jobs that they offer! =]

Now, Blizzard's official policy has always been to just say "Check your home PC for security holes, that's where the problem is." But this script always reminds me of calling Technical Support and is a good demonstration of what separates user reactions in response to Blizzard versus other service providers.

For example, if you were to call Gateway/Dell/HP about computer hardware issues they'll ask if you changed any settings or installed new software, and ultimately try to blame the issue on you or forward you to another manufacturer. You don't buy it though, you know who is truly responsible and realize that they're just feeding you a line.

However, Blizzard indoctrination is so incredibly successful that when Blizzard Support tells you your account was hacked because of you, you completely believe them, blame yourself, panic about the security measures protecting your PC ("MS Security Essentials must not be enough!") and ultimately change all of your account passwords. Not only that, but you also get to suffer additional blame from the WoW forums and your online friends.

I actually admire Blizzard for this, they're doing a truly fantastic job! (I really mean this, their processes are as polished as their games.)

It's well known that Blizzard's internal organization and structure is kept hidden from the public eye, and corporate perception is controlled in news postings, employee policy, and heavily moderated forum posts. But, it's as if no one knows that Blizzard employs FRAUD SPECIALISTS for the specific task of investigating their own employees who steal credit card information and steal/sell accounts (which can be done in large quantities too.) That should be a big hint right there!

So let's review:

  • Blizzard employees Fraud Specialists whose responsibilities include monitoring internal staff for account and credit card theft.
  • Thousands of accounts have suddenly been hacked with Unauthorized Authenticator's attached.
  • Many of the accounts hacked haven't been active in months/years. Users confirm that their computers are perfectly secured. In some cases, the users were security or IT specialists - well aware of the associated dangers and how to protect themselves.
  • Forum posts are being deleted that denounce Blizzard, forum posts are being "promoted" that blame the user.
  • Blizzard's response to all hacking incidents is for the victim to check and secure their PC.
You do the math.

Now, I'm not saying that all of these account hacking incidents were as a result of internal theft, but atleast be OPEN to the possibility that it's not always the users fault. (I know I keep re-emphasizing this... but they employ freaking FRAUD SPECIALISTS who investigate their own employees! It was on their career board!)

That's all I'm saying. They're employed for a reason.

It's typically a very small number of employees who engage in these types of activities and there are several methods to gain access to user accounts or credit card information.

Internally, it would be very easy to gain access to a large quantity of accounts depending on their skill level. I'd love to see their HR records and statistics regarding internal investigations, theft/fraud, etc. but like all other businesses, this type of information will never see the light of day. It happens in all businesses and as the economy falters, employee theft will be on the rise. I suspect that internal investigations can be rather challenging as well and difficult to prove.

Note: The reason I'm saying that it "WAS" on their career board was because shortly after my Reddit post talking about the Fraud Specialist positions at Blizzard, the job postings were suddenly removed from several job boards across the interwebs and even from the Blizzard Careers page itself. Coincidence? Maybe. But if you're interested, check out the Google cached pages for "Fraud Manager" or "Fraud Specialist".

Blizzard's new "Real ID" system has also now been announced. This will be a really good distraction from the ongoing account hacking issues that are currently taking place. That's probably an actual coincidence though, as it's been planned for a while. =]