We need more encryption and security, not less

http://falkvinge.net/2015/01/14/hilarious-activists-turn-tables-on-political-surveillance-hawks-wiretaps-them-with-honeypot-open-wi-fi-at-security-conference/

The linked article shows just how trivial it is to use metadata to identify the entity associated with the connecting device and start to unpick further details of their life, work and the supposedly secure stuff they’re working on.

Security, a thought for the day

If the ‘good guys’ have a backdoor then so do the criminals
If the ‘good guys’ can crack your encryption, so can the criminals

Having weak encryption would not have stopped the Paris attacks as the security services had already stopped monitoring them.

If you think “I don’t use encryption” then think again, when you bought something online you used encryption, when you made a mobile phone call encryption was needed to protect the setup of the call, your password is stored (or should be) in an encrypted format to prevent hackers from simply downloading a human readable list and so on. Encryption isn’t some dark evil used only by terrorists, it’s used by all of us for good reasons. The government needs to give better reasons for denying it to the public than “terrorists!!”.

Alternatively maybe they’ll be happy that all their governmental and private communications are no longer encrypted to make the job of the press easier in reporting on their deeds and misdeeds, for surely if they have “nothing to hide they have nothing to fear”

Authenticator change, let’s follow the money

Been pondering and I think I’ve come up with a reason for this apparently stupid change which has no visible driving reason, no screaming customers, no mega threads on the official forums (or indeed on blogs) about how terrible it is to keep entering the authenticator numbers.

Nothing which really explains why they’ve made the change.

So, let’s fall back to the standard in any business or political field and follow the money.

Authenticators, how they work

Authenticators are a third party product which are made and branded for Blizz by Vasco, functionally they’re pretty much the same as the RSA secureID system which many people will have encountered in a work environment or indeed to the systems which many banks are rolling out to their customers for online access security.

At the backend these systems tend to be the operators own authentication system, coupled with an API provided by the security vendor and hardware authentication boxes (HSM in my field, hardware security module) which do the heavy lifting of actually performing the security check on the supplied number.  Each of these machines as a finite capacity in terms of queries per second, usually some reasonably aggressive support contract response times (let’s face it having your auth system down is a bad thing) and often a license fee based on the number of queries over a set period (for example 90% of the peak value measured over the month).

All of which means $$$ to Blizzard, and the bad sort.  It’s money heading out to Vasco.

We have a trail.. let’s follow

The problem Blizzard face is controlling the costs incurred by the security system, something which is funded mostly out of reduced support costs (less compromises and clean up).  However that’s rather intangible and doesn’t keep the accountants happy.  From an opex point of view the authenticators are an overhead and one which is increasing with time, from a risk perspective there is a chance to reduce the load on the HSMs without significantly increasing the changes of a compromise.

If we look at the entire bnet customer base and extract information on accounts which have been compromised, then pull out the numbers for those compromised with authenticators and then further filter factoring in ‘location’ information based on IP.  Then I suggest that accounts which have an authenticator, log in from a ‘regular’ IP and have been compromised from that IP is a tiny fraction of the total.

Therefore altering the authentication mechanism such that it only checks for an authenticator value once ever “n weeks” or “z logins” when the auth is coming from a ‘regular’ location (defined as “the account has logged in from this location successfully using the authenticator Y times in the last P weeks”).  With some reset mechanics thrown in to drop back to full security checking when there has been suspicious attempts.  Then from the corporate point of view this is a good trade off.  It lowers the load on the HSMs, it cuts back the licensing / support costs without greatly increasing the support costs in dealing with a higher load of compromises.

Additionally we have Diablo 3 on the horizon which means fresh players, fresh authenticators and additional load on the system.  I have no doubt that the current bug which causes players to be kicked out when changing toons forcing a fresh login has also had some impact on their usage stats which might have triggered them making this live ahead of schedule.

Customer expectations

This is the big fail from Blizz, they’ve been banging the account security drum for ages, with good reason.  It’s bad PR for customer accounts to be hacked regularly, encourages criminal activity and generally annoys the paying customer.  Annoy them enough and they’ll go and get their MMO crack from somewhere else.

The biggest fail was rolling it out, letting the “good location” database populate and then stop asking for authenticators.  Which as any geek with an ounce of security sense would have told them will have normal players panicing.  The system changed, it changed in a way which the players have been told means an account compromise.

Stupid, massively predictable and stupid

If Blizzard needs to fix one thing it’s their internal processes and communication.

Real ID, next steps

I’ve previously discussed my general thoughts around Real ID, the problems with it and some of the motivations which were driving Blizzard.  I do not actually ascribe malicious intent to Blizzard or Activision.  I know this goes against the received wisdom that Kotick is satan reincarnate but to be honest I think this is so much garbage.  It’s more likely that the system was put together without serious input from outside the company, much like Google’s Buzz, remember how much grief that caused when that launched, it’s largely the same principle at work.  Large corporations are used to sharing information internally, pushing contact details all over the place, there is also a tendency within large corporations for people to ‘share’ information about themselves as part of introductions in meetings, particularly for kick-off meetings without remembering that there are people who like to only share details of their lives on their terms.  I count myself in the latter group.

Anyway onto the meat of this post, thoughts on what we’re doing already out on the web for ourselves and where I believe Blizzard are going to try to use Real ID to provide ‘new’ services and make more cash off us.

Sharing, everyone is doing it!

Let’s have a look at what millions of people are already doing, without an apparent care in the world

  • “Friending” just about anyone (Facebook / LiveJournal / etc)
  • Sharing family details, relationship status, birthday with either the ‘friends’ list or the whole world
  • Sharing details about interests with the world
  • Sharing (almost) minute by minute location information
  • Writing in great detail about the ups and downs of their lives, their loves, sex, illnesses, financial woes, names of banks

Facebook is a fact of life, I read somewhere recently that they’ve gone through the 500 million subscriber window.  Even if only half of those are regularly users that still a huge number of people sharing their data with just about anyone.  For some users it’s a race to see who can have the most “friends” and be as open as possible about the most intimate details of their lives.

It would be complete nonsense to assume that at least some of Blizzards millions of subscribers use Facebook.   Indeed a significant number are using it to keep track of when raids are meant to be and build a social shell around a raiding core, to build interest and bonds which keep the group going through the slow periods.

Communities of interest

Blizzard wants to keep building on the guild model, it’s part of the social aspect to the game which keeps players within Warcraft rather than drifting off to another MMO or RTS game.  I’m as guilty as other people, one of the ties which keeps me playing WoW rather than exploring EVE or LotRO is that the ‘home’ guild is full of people I know, I think there’s only one I’ve not physically met and of the rest one who I’ve not shared a beer (or other alcoholic beverage) at some point in the last decade and a half, and that’s only because he’s underage.  So vent is part of how we play the game, running dungeons for run and relaxation is what we do, the social aspect is important.  The raiding guild (until it suffered from pre-cata collapse) had a different feel to it, friendly but not ‘social’ in the same sense, in my use of the game the raiding guild was there to provide the solid progression challenge and the home guild to provide the social base.

Social guilds tend to provide their own glue, with the interaction of the players keeping things ticking over, possibly with larger guilds having a forum or using such as Facebook for out of game communication and co-ordination.

For larger guilds and those focused on specific progression (raiding, levelling, RP, PvP and so on) there is a whole service industry

  • Guild websites
  • Guild forums
  • Sites collecting information about the game (wowhead, wowwiki, mmochampion)
  • Progress tracking sites
  • Guild recruitment
  • Guide sites (levelling, raiding, gold etc)
  • Blogs (by the metric tonne)
  • Facebook groups, both for WoW and for individual guilds / alliances
  • DKP development & sites
  • Voice communication (vent / teamspeak / mumble)

It’s huge, and the returns are paying for these services either through direct subscription or through advertising.

The community is incredibly powerful, but…

The problem, Fractures

At times in the game cycle where the game is lacking in draw, and the strength of the ties within the various guild types is not sufficient to hold players in the game.  It’s happening in WoW at the moment, progression has slowed massively, the noise on /trade on maintenance day for the weekly is a fraction of what it was 2-3 months ago.  RP levels are up in the home cities and the levelling zones are crawling with freshly hatched alts, Auction House traffic levels are down.

If there wasn’t an expansion due I’d be expecting realm closures and a winding down of the game.

However we all know what is happening and come November (or somewhere close) the numbers will ramp up again with a huge spike as Cataclysm hits the live servers, however the fallout at the moment is pretty terrible, raid groups are collapsing in on themselves, some people are leaving the game for good (too easy, vanilla was better) the group and social cohesion is breaking down as is seen in LFD with the increase in morons in groups.

Players want to know they can find good players they want to group with and push through the new content.

Also players are moving off onto Starcraft II and more worryingly from Blizzards point of view, they’ll be heading off out into the uncharted realms of Dragon Age and other MMOs.  If the social glue isn’t strong enough, why not go and explore something completely different?

No money for you Blizzard!

All of this adds up to a problem, Blizzard needs players, with products such as WoW and SCII it needs players to keep shoving coins in the slot every month, forget the sales of the boxes they’re nothing in comparison to the monthly subscription.  The model Blizzard rely on is to keep content going through social interaction & ‘progression’, let’s be honest without the driver of the badge grind and helping friends through the content who in their right mind would kill approximately 1800 5-man bosses in roughly a 2 year period on a single toon.

So the players need to be glued together or the subscription money dries up and more importantly it doesn’t come back to the same (or greater) level when the new content drops.  Prior to realID all the control on how the players grouped together and interacted outside of WoW was in their own hands, Blizzard had to do nothing, they could simply be there and ride on the back of it.  However this means they cannot direct it, add their own focus on where the playerbase should be looking for their next fix or indeed make some of the folding stuff.  I can imagine that relying on external forces for the ongoing growth and maintenance of your games is something which disturbed Blizzard/Activision.

Social Networking crawls from the Twisting nether

Like a twisted entity from the nether itself, intent on sucking the very life from everything it touches social networking tries to enter every aspect of our life.  We’ve already looked at how hundreds of millions of people globally hooked on social networking.  So the underlying fabric is there, Blizzard simply need to use the ideas and technology to start formalising that structure.

Within Activision

Stage one, the fabric is needed to link all the players together both within games and across Acti/Blizz games, that’s where Battlenet and realID enter the frame.  At the billing level this allows simplification of databases, authentication and the like, it’s also brought together the Real Name -> ${games}/${all_characters} mappings.  Now the fabric is in place let’s make it easy for anyone to talk to anyone else with the realID friending capability.

Problem 1 Solved: Players are glued back together within the Battlenet universe.

Stage two, while the above helps it risks leaving a large segment of the player base who have left for other MMOs, completely different games or even completely stopped gaming for the moment.  Let’s make it simple to hook Facebook contact lists to in-game account information.

Problem 2 Solved: Players are glued together with the current leader in the social networking sphere.

Stage three, profit

Both the previous phases of this are about preserving revenue, they do nothing to increase it.  The relationship with Facebook brings some viral advertising possibilities which might draw in new gamers but I cannot see this is anything more than a percentage point here or there.  Gamers will already be looking at the big launches, non-gamers may be pulled in but they’re more likely to be recovering gamers who’ve managed to shake off the habit for a while.

There is another group of gamers out there, let’s call them timelapse gamers.  Farmville is the classic example, unlike SCII, WoW or the other online properties there is no need for these gamers to all be online at the same time, everything is done in a manner which is more akin to “chess by mail” where actions are taken and shoved onto the stack and the other players react to what’s happening on the stack.  With a major focus on social progression, in that “I must keep my farm growing and well-tended to keep ahead of $other_fb_user”.  However I’m not convinced that Activision is seeing this as a particular growth area for the company.

So features which they could be bringing out (all as additional services, naturally), much of what follows is a stream of consciousness approach to the issue… so.. sketchy on details.

  • Facebook hosted guild functionality
  • Building DKP or something similar into the game, they are putting a lot of effort into making guilds very attractive to players.
  • Raid planning / organisational tools which hook into FB or similar
  • We have external access to the Auction House, why not the calendar, in-game chat, generating in-game mail?
  • Messages from Facebook into the various games?
  • “PUGbook” – a completely random unfleshed out thought which has drifted through my mind
  • Possibly stupid thought, but a Farmville game focused around pets earned / purchased within the likes of SCII / WoW?  If people are willing to keep a non-existent field growing with imaginary crops, why not feeding a WoW dragon and raising it’s young from eggs?

I certainly see nothing unlikely about Blizzard taking ideas and services which are already in wide use in the community and creating their own versions, they’ve never been shy about taking the best and most popular ideas from the Addon community and integrating them into the core game.  So extending that reach further is well within their mode of operation.

Advertising

It’s been denied many times, but there have been announcements in the past and I think it’s safe to say that any company will do what it thinks will bring in the most profit for the minimum of acceptable risk to its bottom line and where the organisation wants it’s reputation to be.  This will not necessarily align with the views of all its current or potential customers.  Opening up to Facebook brings solid gold information on the hobbies and interests of millions of users and how those users are linked.  Advertisers want solid information, with the way the media is evolving getting relevant adverts to the eyeballs of internet users is where the money lies.

Will they bring adverts into the games?  This depends on the game, WoW, not yet.  It would smash the immersion which does exist into many tiny pieces, this doesn’t mean we won’t see it on the launcher or on the official sites.  The FC channel can work both ways, once you’ve confirmed the BNet to FC link you’ve also let Blizzard see your interests as logged on FC, targeted advertising again, focused high value eyeballs.

How far can this go

As far as the paying customers are willing to let it, Blizzard will continue to develop along these lines for as long as the profit / risk balance is acceptable.  We’ve seen already how pressure from the community, and I suspect the realisation of just how much at risk their staff were has caused them to back off.  However my belief is that we are seeing only a tactical withdrawal and futher attempts to drive this forward will be coming our way.  If the users accept the changes then more will be around the corner, given how the concepts of ‘friend’ and ‘privacy’ have been changing over the last decade I am not holding out much hope for the medium term.

Latitude

Google Latitude, it’s cool technology, I have nothing to dispute there.  It’s the technology and capability my teenage self dreamt of.  Today I got an invitation to share my location with someone I know (someone who I do count as a friend, not the lobotomised definition that Facebook, Livejournal et al have given us).  However I have to ask myself the question.  Why would I want to share my location, it’s amazing that my phone can work out where I am within a very small margin of error, translate that into global co-ordinates, send it back up into Google who track and log the information and present that information on a map for people to view.

What is the benefit to me, what is the benefit to the person I know?

I can think of a few specific cases where I’m trying to meet up with someone but the need for the databases of my position and the like just aren’t needed.  So for the moment I won’t be sharing my location, if you need to know where I am, ask me then and there.  If you need to know where I’m going to be, ask me.

Online information & security

Another day, another information horror story of sorts.

Someone has stuck a bot crawling Facebook for public information, collated it into a nicely presented format and slapped it up on a torrent for downloading.  Let’s look at the impact of this.  Fundamentally it changes very little, this is all information which users of Facebook have put into the public domain either actively or through not unchecking the right options.  The difference is that it’s collated into a easily parsable format, ideal for spammers to grab and shove into their databases, quickly searchable and so on.  We’re not talking about a zero risk event here, but something which is akin to moving fruit from a branch which requires a little bit of reaching to something at waist height.

So what is the impact here, hopefully a wake up call to all those users of services such as Facebook as to keeping an eye on what information they’re putting into the public domain, what links to friends they’re making public, what photos, what details of their personal life.  Who hasn’t heard of the stories of people boasting on Facebook about pulling a sickie forgetting that a co-worker or boss is on their friends list.  Making the dope habit public while the boss is known to be massively anti illegal drugs and so on.

Banks still use information such as maternal maiden name for authentication, how difficult is it now to find that information from the Facebook data dump for a number of users.  While in itself that is not the key to your money it’s another piece in the puzzle, all of which makes it a little easier for the bad guys to get at your account and at the same time make it harder to convince the bank of your innocence.

The financial costs are normally recovered, at least in the EU, what about the time and stress in dealing with such issues, that cannot be claimed back off the bank.  It’s not entirely their fault that their customer is putting their entire life into searchable databases.  How about having to cancel that credit card and be issued with a new one, updating companies which are taking their money through recurring mandates, updating the booking with FlyCheapAir and the hotel room for the same trip and so on.  All annoyance and pain.

So this is both a complete non-story “person puts information in the public domain into the public domain in a different format” it is also at the same time a major story “Millions putting information into the public domain which they rely on to secure the services they base their life on“.

BBC Report