Daily Archives: June 22, 2010

Blizzard Real ID vs. My Privacy

So part two in the three part series on Blizzard really cheesing me off this week has to do with another new offering called Real ID.

This is only tangentially connected to my initial screed on how Blizzard compromised the security of parental controls by bypassing their own authenticator scheme because I only became aware of Real ID as part of the email message announcing the new and improved parental controls.

That message had two new features listed, one was not having to remember a password for parental controls and the other was the ability to turn on Real ID for your child’s account.

And my gut reaction to that second item was, “If I wanted my child’s real identity out there, I wouldn’t be using parental controls, now would I?”

But then I remembered another “might be real” item in the big folder of account phishing attempts.  And there it was, titled “Real ID Coming to World of Warcraft!”

And who is the poster boy for Real ID?  Why, Arthas!

Arthas Commands It!

And really, I could stop right there, since Arthas trying to sell me on Real ID digs right at my streak of paranoia.  It would be like Darth Vader hawking the NINA mortgages… or becoming the new spokesman for the IRS… just a little too close to a natural fit.

I mean the great luxury of the internet is that we can all go out and play together and I don’t have to worry about you asking to crash on my couch when you’ve lost your job, wife, and home due to your being unable to stop playing online games.

Sure, there are costs associated with this anonymity, with only the most obvious illustrated over at Penny Arcade, but they are (mostly, in my opinion) worth the price.

Still, I should go forward and mention what Real ID is supposed to offer, quoting for truth and such.

Soon, World of Warcraft players will have access to a brand-new feature called Real ID, a completely voluntary and optional level of identity that will keep players connected across all of Battle.net.

When you and a friend mutually agree to become Real ID friends, you’ll have access to a number of additional features that will enrich your social gaming experience in new and exciting ways:

-Real Names for Friends: Your Real ID friends will appear under their real-life names on your friends list, when chatting, communicating in-game, or viewing a character’s profile. Real ID friends can also see who’s on each other’s Real ID friends list, making it easy for players to connect with other people they know.

-Cross-Realm and Cross-Game Chat: With Real ID, friends can chat cross-realm and cross-faction in World of Warcraft, and will be able to chat across future Blizzard games such as StarCraft II.

-Rich Presence: See additional info on your friends list about what your Real ID friends are up to in World of Warcraft and upcoming games like StarCraft II in real time.

-Broadcasts: Broadcast a short status message for all of your Real ID friends to see, whether you want to issue a call-to-arms or let your friends know about an important change of plans.

-Friend Once, See All Characters: Real ID friends will automatically see all of each other’s characters on their friends list – even characters created in future Blizzard games – helping players stay connected with the people they enjoy playing with most.

A nice feature set.  An attempt to go beyond what SOE has done with their Station Launcher friend’s list.

Of course, I should mention that they opened this up with a salutation that included my real name.

But why should I care about that, about using my real name?

I must admit is, in an odd turn for a blogger, that I do value my privacy and the privacy of my family.  And I care all the more so while involved in a job search.  Being a gamer carries a stigma which may not endear you to prospective employers, especially in a state where the unemployment rate is around 12%.

And it isn’t even that I write anything about which I would be ashamed.  My mother reads my blog.

But given a choice between equally qualified candidates, somebody who blogs about online gaming is likely to lose out. (It might help me with that SOE QA Manager position for which I applied.  Then again, it might not.  Wasn’t I just bagging on SOE marketing the other day?  Oops.)

So I get a bit squeamish when Blizzard starts talking about using my real name in the game in any way, and all the more so because I see the value in what they are offering.  Blizzard says, in the Real ID FAQ:

Real ID is a system designed to be used with people you know and trust in real life — friends, co-workers and family — though it’s ultimately up to you to determine who you wish to interact with in this fashion.

And certainly I wouldn’t share my Real ID with anybody I did not trust or know in real life, but this rings of the classic “drink responsibly” sort of message.  Who knows how this is going to develop.  Will people start exchanging IDs casually in game?  Will raiding guilds start demanding Real IDs from members?

I am going to watch this feature carefully.  Right now there are less than ten people with whom I would consider sharing Real IDs, and even then I like to have a secret alt or two stashed away for when I just want to run around solo and not seem like I am snubbing anybody.

Everything Blizzard offers has a price, but I’m not sure I’m ready to pay for this one.

And I am certainly not enabling this feature on my daughter’s account!

Blizzard Compromises Parental Control Security

Or such is my view of the recent changes they have made.

For previously, parental controls were a simple thing.

They were an option off of the account management page and thus secure behind the account login, which in the case of our household, includes a Blizzard Authenticator.

Roll Stock Authenticator Footage

Once in to the parental controls page, all sorts of options were available for controlling your child’s play time.

And all of this was kept from the child by a simple password.

My daughter would go log into the page and all I would have to do is make the changes, or review the changes she made (and often correct them to align with what I had agreed to allow), then type in the password and click accept.

The flaw in the system appeared to be the password.  I chose a password that was both complex enough to be secure, but one that both my wife and myself would remember.  And we keep tight enough rein on my daughter’s WoW account that we end up typing it in a couple of times a week, thus refreshing our memory.

Then came the email from Blizzard.

Dear World of Warcraft Parental Controls user,

We’re writing to let you know that World of Warcraft Parental Controls are now managed through our Battle.net Parental Controls system: http://us.battle.net/parents/.

This email is your new key to accessing Parental Controls for your children. Any time you want to make changes, simply click the link under the name of the child below:

[Account and URL Withheld]

Your previous World of Warcraft Parental Controls settings for the accounts above have been automatically transferred to Battle.net Parental Controls, so unless you’d like to make changes or explore the new tools, you do not need to take any action at this time. Be sure to hang on to this email for quick access to managing your Parental Controls settings in the future.

Battle.net’s Parental Controls features include:

– NEW! No more Parental Controls password to remember – just use this email as your key.
– NEW! Permit a child to use Real ID, an optional social-networking feature that allows players to interact and communicate using their real names. (Learn more about Real ID: http://us.battle.net/realid/)
– Set daily or weekly limits on the number of hours your child is allowed to play World of Warcraft.
– Create a custom World of Warcraft play schedule, or select from pre-set schedules such as “weekends only.”
– Receive weekly World of Warcraft play-time reports via email.
– Manage access to in-game voice chat for World of Warcraft.
– COMING SOON! The ability to manage future Blizzard Entertainment games such as StarCraft II, as well as additional access to Battle.net’s upcoming social features. We’ll share more info with you about these features as they become available.

For information on or assistance with Battle.net Parental Controls, visit the Parental Controls FAQ (http://us.blizzard.com/support/article.xml?locale=en_US&tag=PCFAQ) or contact our Sales, Billing & Account Services team: https://us.blizzard.com/support/webform.xml?rhtml=y&locale=en_US.

Sincerely,

The Battle.net Team

I initially ignored this email thinking that it was yet another phishing attempt.  Right, I’m going to click on a URL in an email from “Blizzard Entertainment.”

But then my daughter came to me asking to play for a bit, since the Midsummer Fire Festival was kicking off, and we noticed that the parental controls were missing from their usual location.

I went back, dug the one of two non-phishing attempts from Blizzard Entertainment out of my spam folder, and read the above.

So instead of easy access via account management, controlled by a password, I now have to keep a hella long URL handy if I want to make any changes.

I realize that some people are bad with passwords and that having held a job where I had to have 6 different passwords to do my job daily, each of which had to be changed every 45 to 90 days, might have trained me better than most in the fine art of mental password management (the company had heard of LDAP, but wasn’t really convinced it was time to jump on that bandwagon yet), but still.  This was one stinking password with almost no restrictions requiring special characters, numbers, capital letters, punctuation, or Chinese pictograms.

But no, passwords get forgotten and and I am sure that yields calls to Blizzard support, and support calls cost money.

So now I have a much less secure solution to the problem of parental controls.  Passwords may be as breakable, or much more breakable than the hella long URL Blizzard sent me, but at least the password entry made you go through the Blizzard Authenticator.  I bought into your security paradigm and this is how I get treated Blizzard?

Meanwhile, the URL is in a normal web mail account, the password for which can be phished for as easily as an account password.  And even if I copy the URL elsewhere, if you know that email address, you can just go to the parental controls page, type it in, and they’ll send you a fresh URL that will invalidate the old one.

All of this for access to a page that will let you lock people out of their account.  How does that scenario sound familiar?

Right, somebody gets the password to that email account, changes it, requests a new parental control URL, turns off all access to the account and there you go.

And you can say, “Well, be more careful with your email account,” but this sort of thing happens to people much wiser in the ways of security than myself.

Then there is the kick in the teeth following the boot in the groin, which is that this new setup is less convenient for our family.

Previously, my wife and I both knew the password, so either of us could manage our daughter’s account.

Now we need that URL.

Sure, I can forward that to her (another security hole, but what the hell at this point!), but there is a catch.

The URL expires.

This was probably the bit that let this whole “bypass the authenticator” scheme get past security review.  I’ve already had to renew the URL.

But the URL gets sent to an email account that is mine.  If the URL expires when I am not available to manage the parental controls, then the controls won’t get managed.  And I could switch it to a new account that we could both share, but that would be one more account and password to remember.

All in the name of not having to remember a password.

And I’m just getting warmed up.  This whole thing is a trifecta of annoyances, the security changes just being the first.

Look for a follow up post.

Meanwhile, the net result here is that if you used the Blizzard authenticator, your account is now less secure than before.