No security reprieve from Blizzard's Warden

Two good reasons to pass on MMORPGs in the office

World of Warcraft (WoW) and other massively multiplayer online role-playing games (MMORPG) are the source of recent rumbling in the industry. The online gaming numbers are staggering, but the notion that a significant percentage of people is logging in from work is truly the stuff of executive nightmares.

The impact from lost work hours and the legality of alternate-currency businesses or "gold pharming" are worthy of discussion, but the alarm is a bit misplaced. Games have been a staple of computer workers' existence since J. Martin Graetz, Alan Kotok and others cooked up Spacewar! on a PDP-1 in 1961, and people have been exchanging virtual identities and goods for real money since the first multiuser dungeons (MUD) in the '80's.

Such games will always be with us, and the further up the knowledge-worker ladder one goes, the seemingly more essential their importance for blowing off steam. Modern role-playing games aren't my thing, but I'd much rather see a senior security officer ganking Blood Elves in a cathartic frenzy for 30 minutes on company time than losing her cool when cornered by a tightly wound executive in some postincident blamestorming session.

Yet there is a serious problem with gaming on the corporate network -- in fact, there are two. It's not with the games themselves and the effect of their use, but with software installation on an organization's computers by unauthorized individuals and the inclusion in that software of monitoring and self-help components. The former leads to all sorts of compliance issues. The latter leads to real risks of information disclosure and creation of new attack surfaces.

Monitoring and reporting

The Warden is not new in concept or execution. In response to widespread cheating on multiplayer online games, Blizzard Entertainment developed routines for detecting game cheats, eventually coalescing them into a distinct software component known as the Warden. The Warden is included with WoW, Diablo II and other Blizzard games.

When active, the Warden monitors program and process activity on the host computer, and it sends usage data and some desktop information (known to include at least the header of each open window) back to Blizzard's servers over the Internet. Blizzard says the Warden does not gather any personally identifiable information -- only data about the game account -- and only examines the gathered data for evidence of hack or cheat programs.

A representative of a WoW guild (a structured group of thematic players) told the BBC that many of its members support Blizzard's efforts to quash game cheats. "The concern most have is that the program has the capability to read text from open programs, potentially compromising the privacy of some sensitive programs. If someone is afraid of the program reading sensitive information from their programs, one possible solution is simply to not run any additional programs while playing World of Warcraft."

But as Gregory Nunn noted: "To a warden, Utopia is an escape-proof jail." In other words, being effective means casting a wide net. Consequently, Blizzard's claim that it does not use personally identifiable information is disingenuous. The Warden records an IP address that may persistently resolve to a specific home or office. It tracks account information tied to a single named user and financial data (if one respects the Blizzard software license). All sorts of data may be captured from other windows while a player is active.

Concerned with the ramifications of the data transmission, Greg Hoglund wrote and released a tool called the Governor, which monitors Warden data transmissions using Microsoft Corp.'s published application programming interfaces. Because the Warden is also included in single-player and LAN-capable software, it's a reasonable assumption that there remain undiscovered functions that can also disable stand-alone software in response to predefined criteria for cheats or detected license violations.

Self-help

When the Warden detects a game cheat or license violation, it shuts down the client -- specifically targeting an individual for violation of the software or online service license agreement based on specific data associated with that individual's account. Clearly, it allows for disabling of gaming accounts.

None of this should come as a surprise. The WoW software license clearly states that Blizzard will conduct monitoring and may reach out across the Internet to take action on a user's computer if it believes that user is cheating or violating the license agreement. This fits the legal notion of "self-help," wherein a software developer is essentially authorized to break into a system or network to shut off unpaid-for, unlicensed or misused software -- and indemnified against consequences of doing so.

Users decide?

The Warden isn't all that different than the daemon included with Microsoft Office for OS X that probes the local network and disables the Office applications if it finds a duplicates of itself, or Windows Genuine Advantage, which checks for license compliance -- while uploading all sorts of machine and application information to Microsoft -- and can disable major features of an entire operating system. Other software companies use even more virulent methods. For example, a former client wanted to migrate away from a non-Y2k-compliant enterprise document management system and let the license lapse, but was barred from accessing its own data in an encrypted repository until it paid the vendor for another year's license renewal.

However, accepting such situations is an organizational decision made by groups or individuals authorized to act on behalf of -- and accept risk for -- the entire organization. Should individual users of a corporate, government, military or other organization's network decide when to install monitoring and reporting software? No. Should lone users accept license agreements with self-help stipulations that may affect production systems and the networks to which they are connected? Break out the clue stick.

Having individuals accept risk for an organization without being authorized to do so by the owners, board, regulatory body or other governance body is very bad on its own. If a user takes control of a system and installs software that substantively subverts the governance, monitoring, management or confidentiality of the system or network to which it is connected, is the system still substantively under control of the organization? If the answer is no, continuing to use that system for work may be a violation of applicable laws and contracts.

Noncompliance and legal trouble

When a rogue user subverts an organization's computer and enters into an agreement that allows for a third party to monitor and (partially) control that system, it means the organization is no longer in control of it -- plain and simple. This is where organizations may feel a legal pinch.

For example, the Health Insurance Portability and Accountability Act Security Rule, the Sarbanes-Oxley Act and the ISO/IEC 27001 standard all require organizations to maintain control over their systems, as well as the configurations of and access to those systems. If they don't, they can't claim to be in control of the personally-identifiable health care information, corporate financial data or other sensitive data hosted on those systems.

I could go on, (and I've listed some potential compliance issues for various industries in a sidebar), but the problem is clear: If access and partial control of systems with sensitive data has been ceded to a third party by an unauthorized individual, the organization will run afoul of any requirement to tightly manage systems and control access to hosted data.

Trusting the company

It's conceivable -- however ill-advised -- that some organizations might authorize game software with monitoring and self-help functions on workstations. Many people in the BBC article mentioned above indicated that they trust Blizzard not to misuse information it gathers.

But Blizzard is a privately held subsidiary of Vivendi Games and Vivendi. Despite its 150-year history of serving the public good -- Vivendi started in 1853 as the water company for Lyon and Paris -- I beg forgiveness for not trusting personal data to a promoter of the omnipresent digital rights management morass and a contributing malfeasor in the recent wholesale perversion of U.S.-based Internet music licensing.

Some years ago, Vivendi Universal executive Edgar Bronfman argued against compulsory music licensing before Congress, yet when the situation made it more profitable to do so, Vivendi made a 180-degree turn. For an individual to personify a commercial organization and trust it past its basic fiduciary duties is a foolish thing to do.

Simply denying that they look at data if it does not relate to the game is not good enough -- game companies have already caused data from other programs on a system to be gathered and transmitted in clear text over the Internet. Were Blizzard to find itself holding inadvertently gathered sensitive data from a Nasdaq or Defense Department systems administrator's desktop, I doubt the "We didn't look at it" argument would get very far.

The end

In the end, we choose these problems. If I want to give up my home system privacy for an online hit that keeps me going for a few hours at a time, it's my choice, and it's my responsibility to know the consequences. If I'm sensible when faced with ugly licensing terms for interactive games or media, I'll choose not to install, play, watch or listen. If I'm informed, I'll know what remote self-help is and shun it for my own good as well as that of others.

But I don't usually have the right as an individual to choose these risks for an organization with other people and data that's not my own property. Organizations should promote this understanding through better security training and awareness -- even if most may settle for just an admonishment not to install unauthorized software.

At risk of promoting dubious Internet addiction-treatment scams, it might be a good idea to provide counseling to those who just can't help themselves and would otherwise put themselves and others in positions of risk. As a man familiar with creating serious problems for those around him once said, we're all our own prisons, we are each all our own wardens, and we do our own time.

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He is currently a senior security consultant in Seattle, where his advice has been ignored by CEOs, auditors and sysadmins alike.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon