Tag Archives: WTF Blizzard?

The Biggest Lie About Real ID

Sometimes we get mired into arguing about minutia and miss the real point.  I’ve been going back and forth about the symptoms and ignoring the reality.  What forest, all I see are a bunch of trees.

Blizzard is not imposing Real ID on the WoW forums to clear out trolls or to make us responsible for our posts or to save money on forum moderation.  That is a load of crap. An excuse.  A smoke screen.  The post that set off nearly 2500 pages of responses (so far, including one from me) is just a side show, a distraction.

Seriously, are you telling me that after more than five years, suddenly Blizzard can’t take it any more?  Did Mike Morhaime suddenly crack and shout, “I’ve had it up to here with you damn trolls!  I’m taking you all down!” and start hurling murlocs around his giant office?

Not likely.

A big change like this, which is really a change in the way they do business, a change in the way they want to relate to their customers, always comes with a corporate press release.

So I went looking for one.

There is no corporate Blizzard press release out there about cleaning up the forums.

This is not the purpose of their grand stroke.

These are not the forum trolls you are looking for.

The people at Blizzard know that the forums are unlikely to get more civil.  And they also know that support issues diverted from the forums to email and the phones are likely to cost them more money, not save them any.

No, the only press release out there related to Real ID, and it doesn’t even mention it by name, is the announcement that StarCraft II will be integrated with Facebook.

Real ID is the result of that integration.

Because to integrate with Facebook, you have to use your real name.  So say the terms of service.

So if Blizzard wants to come play with Facebook, or is being told they have to go play with Facebook because somebody mentioned to Bobby Kotick that Facebook is where the money is, they have to go in with their subscribers real names in full view of the world.

Getting in bed with Facebook requires full disclosure.

“But wait!” I hear you say, “That press release only mentions StarCraft II!  We’re talking about the World of Warcraft forums!”

That is merely because we haven’t seen the right press release yet.

Prediction: New Cataclysm feature to be announce, Facebook integration with World of Warcraft.

I’m going to stick with that one until proven wrong.

You’re welcome for that blinding flash of the obvious.

You probably beat me to it by a few days.  I just haven’t made it to a post yet that laid it out quite like that.

What that means to World of Warcraft and the Cataclysm expansion… well… I think I’ll quote Robert Heinlein:

When in danger or in doubt
Run in circles, scream and shout!

You may now begin to panic.

If you wish to defer panic for a few minutes, go read this, laugh, sigh, and smile for a moment.

Then begin to panic.

Surprise! A Security Flaw in Real ID!

File under, “That didn’t take long!”

WoW.com is reporting that there is a security flaw in Real ID that allows addons to expose your information to… well… anybody.  It is all up to the addon.

I expect to hear this story repeated again and again because some part of Blizzard, the part that wants you to expose your information, does not strike me as very interested in security.

Again, as I said in my previous post on the subject, the whole Real ID things seems to go completely against the grain of what I am told is Blizzard’s biggest problem, account security.

When you are fighting a battle to keep your customers from having their accounts hacked and looted, something I am going to guess costs them more money than, say, forum moderation, proposing a system that exposes more information about your users doesn’t seem to be the best plan.

Anyway, I’ve turned on parental controls for my own account and dis-allowed Real ID.

Now I just have to hope there isn’t a flaw in that…

As Real ID Oozes Forward, More People Lose

I must admit, my first gut reaction to Blizzard announcing that their Real ID initiative would be applied to their forums and that everybody would be required to post using their real name was a  Nelson Muntz, “Haw-haw!”

After all, I don’t post to the Blizzard forums.  Why should I care?

And I could see the same point which Darren did, that this whole thing would certainly put a few people on better behavior.  And I am sure there were others who could see some merit in that.  Wasn’t abusive customer behavior one of the reasons that Mark Jacobs opposed having official forums for WAR?

Of course, after that initial flush of schadenfreude, holes began to develop quite quickly in the Utopian forum in my head.

There will always be people who doesn’t care if others know their real name and who will continue to behave like an ass-hats regardless of what sort of information about them is made public.  And then there are those with names common enough that knowing their name tells gives you no information whatsoever, some percentage of whom are jerks. (I wonder if there is a correlation between having a common name and bad forum behavior?  Is somebody name John Smith more likely to mouth off?)

Out of a population of a couple of million subscribers, I am going to guess that there will be enough such people as to make the change in the tenor of the forums smaller than one might hope.

Then, if you add in the people whose accounts do not actually carry their real name (whoops, did you sell your account to a forum troll?), you begin to wonder if this is going to make any real difference in the war for public decency.

After all, this Real ID in the forums plan is likely to stifle the voices of a lot of average users while being unlikely to hinder the two groups I mentioned above.  The signal to noise ratio in the forums will likely stay the same or perhaps even get worse.

So you will be hard pressed to get me to believe that end users will see much benefit from the imposition of real names in the Blizzard forums.

Blizzard will though.  I am sure forum posting will drop dramatically.  That will make community easier and less expensive to manage.

But unless that is going to cut my monthly subscription price, I’m not sure I care.

The cost of Real ID though, that is pretty steep.

After all, the fundamental principal of a game like World of Warcraft is to deliver an escapist fantasy, to be someone or something you are not in the real world of your every day life and to be a part of a community of others who also seek a similar escape.

Only, suddenly, we really can’t be a part of that community unless we’re ready to link our in-game persona to our real life.  Today it is the in-game friends list, tomorrow it will be the forums, what will it be next week.  It could be your Real ID associated with your Armory pages if people do not complain now.

And while some declare worry on the subject to be irrational fear, I think they are living in a fools paradise.  Certainly there are some people for whom Real ID will make no difference.  If you are male and have a reasonably common name and are not, say, looking for a job, then who cares what comes up when people Google your name or look at your Facebook page.

But what happens when your name is a unique search on Google, so all your information is easily obtained once somebody has your name? (That’s me, by the way.)

What happens when you’re a woman and you want to just fit in and enjoy the escapist fantasy without being hit on or treated differently?

What happens when you’re a guy but you play all female characters?  Ready to explain that one to all and sundry?

What happens when you have kids who play and they want to be part of the community?

What happens when your last name happens to come from a region that the politicians and news media have declared “bad guys?” (Historically, that has happened to my family.  And while it is unlikely to happen today (too many Irish in the country, for one thing) it does make you think when it happens to somebody else.)

Are we all that ready to share?

WoW is entertainment.  I’m not sure I’d want a public record available listing out every movie I’ve seen, every television show I’ve watched, or every book I’ve read.  So why would I feel differently about video games I’ve played?

Finally, there is the security aspect.

And this is what kills me.

Blizzard goes on and on about account security.  They want us to buy authenticators to keep our accounts secure.  Fine, I’ll play ball in the name of security.  I bought an authenticator.

But I expect Blizzard to be holding up their end of the bargain as well.

And Blizzard cannot say they are doing their best to protect account security on the one hand while proposing to give out our real names on the other.

They made us change our account IDs to an email address.  Now they want us to use our real names, so you can now get the email address/account ID of a large number of WoW accounts without much effort.  And any hacker can now associate account IDs with all the information about us that is available on the internet.  And since most people make up their passwords based on things like names, birthdays, and such of children and spouses, hacking accounts just got that much easier.

All of this is making me wonder what things are going to look like in StarCraft II when it comes out at the end of this month.  Is it going to be real names, Real ID, up front from day one?  Is everybody I play going to know my real name?  There is no way to play StarCraft II without Battle.net (no LAN play, remember?), so if Blizzard is going to display all our names, I won’t want to go there.

All paranoia?  Maybe.  People who have been victims of loose information tend to be more concerned about it being contained.

But this is light entertainment.  If it is engendering paranoia, then it is doing something wrong.

And other have written more clearly and eloquently about this topic than I have.  You should go run through the posts, and the comments, at Terra Nova and Broken Toys.

Heck, even SynCaine has an unusually calm, logical, direct and to the point poke at Blizzard.

But I just wanted to put my own thoughts down on this.  One of the purposes of this blog is to record what is going on at the time so I can review it later and see how I have changed or not.

And I wanted to complain.  Loudly and quickly.  If we all say, “Whatever, it doesn’t apply to me,” then at some point the changes will apply to you, and you’ll wish somebody had spoken up earlier.

Addendum – Additional reading on the subject:

The Strangest Parental Control Default

I looking at the new and, in my opinion, screwed up parental controls page, I actually played with some of the controls I normally do not use, just to see if they changed as well.

One of the options allows you to select a pre-filled out time grid.  You have the options, that are kind of self-explanatory, of:

  • Weekends only (all weekend hours)
  • Friday and weekends only (which is really Friday after 3pm, so after school)
  • After school and weekends (3-6pm daily and weekends)
  • After 6pm and weekends (6pm to midnight daily and weekends)
  • After 3pm and weekends (3pm to midnight daily and weekends, i.e. sleep, go to school, play WoW life)
  • Break Time

None of those are particularly useful to me.  They would allow my daughter to play much more WoW than we would want.  But that is why I am annoyed by the new parental time control grid, because we dole out time in much smaller increments when we feel it is appropriate.

Now you will notice that I did not explain the option “Break Time.”  The others were, as I said, somewhat comprehensible by their description.  You knew what to expect, if not in full detail.

So I had to see what that last time template offered.

I've got your break time right here

Essentially, “Break Time” sets a pattern of regular two and a half hour play slots, each broken up by a 30 minute break.

This limits you to 20 hours of play a day and makes you step away from the computer at least every three hours.

I’m just wondering who would find this sort of schedule useful.

That is way too much play time to be allowed a child and way too regulated for any normal person that I know to follow and be aware of.  I would, I am sure, constantly be logging on to play about 10 minutes before break time.

Would you find this useful?  Do you know somebody who would?

Blizzard Screws Up The Parental Controls Interface

The third and final post in this week’s “WTF Blizzard?” feature.

Previously I ranted about how they compromised the security of the parental controls page and about the new Real ID feature that just launched this week.

Now I want to proceed to the actual parental controls interface, which have arguably suffered from this round of updates.

Not that the old version of parental controls was a joy to behold.

But the controls, and its center piece, the play time grid, were  clear, functional, and intuitively easy to use.  I was worried that I would have to describe it in detail, since it no longer exists, but Google images always provides! (Thanks to the similarly named blog, The Experienced Noob, from which I borrowed this image.)  So lookie:

The Old Play Time Grid

Green meant your child could play, red meant they could not.

You could easily click on any of the half hour increments to turn them on or off.  You could also click and drag your cursor across a range of increments, changing them all in a single pass.

It was simple, but that is what a tool like this should be.  No additional instructions were supplied or required.

Now there is the new grid.

The New Play Time Grid

At first glance you might actually prefer this new grid.

It looks a bit like one of the calendar views in Microsoft Outlook.  (That is familiar to far too many of us I fear.)

And it is easy to see the time ranges and durations once you have selected them.  The clarity of presentation is as good, if not better, than the previous grid.

Selecting the actual times though… you know, using the tool…

Here is a tip that you haven’t necessarily improved the user experience:  You need to explain things that previously needed no explanation.

I won’t quibble about the fact that the instructions, which are next to the grid, refer to “the time slots above.”  That is easy enough to fix. (I won’t pass up the opportunity to point it out however!  It supports my conclusion!)

No, it is the fact that time selection works in a different and not quite so intuitive manner that gets me.

Gone is the toggling on and off of half hour time slots.  Not that you would want to, since the vertical size of the time slots is eye-strain small.  You will miss your desired half hour increment often.

Now you have to click on the starting time and drag your cursor to the ending time all in an action that reminds me very much of pulling down a window shade.  It seems easy, but you often have to repeat it to get your settings just right.

And, if you are like me and sometimes set multiple play times for a single day, you’d better read that final tip.  Somebody at Blizzard decided that multi-select editing rules were appropriate, so you have to hold down the Ctrl key down while you select additional time slots for a day.  If you forget to hold down that key, your first time slot goes away as soon as you start dragging out the second one.  Oops.

Finally, make sure you don’t accidentally click on the wrong day.  Once you click on a day, you are stuck with a half hour selection that you can only remove by navigating away from the page without saving, then coming back to start over.

The half hour that would not leave

This also means that once you have a time slot selected for a given day, you will always have a time slot for that day unless you use the “clear schedule” option, blank out the whole grid, and start over again.  Ctrl-select was fine, but you couldn’t give me Shift-select for delete Blizzard?

Not a winning interface update.  Remember, they felt that having password protection for this page was too complicated, but somehow this grid selection method was just fine!

Okay, maybe you do not use parental controls and do not care.

And maybe “screws up” is an over-statement when referring to the whole parental controls interface.  Much of it remains exactly as it was before, with the time grid being the major change, even if the time grid is the major feature of the page.

But we are speaking of Blizzard, the company for whom “polish” is the alleged watchword.  And this interface update is clearly one that could have used a bit more thought before being released.

Blizzard Real ID vs. My Privacy

So part two in the three part series on Blizzard really cheesing me off this week has to do with another new offering called Real ID.

This is only tangentially connected to my initial screed on how Blizzard compromised the security of parental controls by bypassing their own authenticator scheme because I only became aware of Real ID as part of the email message announcing the new and improved parental controls.

That message had two new features listed, one was not having to remember a password for parental controls and the other was the ability to turn on Real ID for your child’s account.

And my gut reaction to that second item was, “If I wanted my child’s real identity out there, I wouldn’t be using parental controls, now would I?”

But then I remembered another “might be real” item in the big folder of account phishing attempts.  And there it was, titled “Real ID Coming to World of Warcraft!”

And who is the poster boy for Real ID?  Why, Arthas!

Arthas Commands It!

And really, I could stop right there, since Arthas trying to sell me on Real ID digs right at my streak of paranoia.  It would be like Darth Vader hawking the NINA mortgages… or becoming the new spokesman for the IRS… just a little too close to a natural fit.

I mean the great luxury of the internet is that we can all go out and play together and I don’t have to worry about you asking to crash on my couch when you’ve lost your job, wife, and home due to your being unable to stop playing online games.

Sure, there are costs associated with this anonymity, with only the most obvious illustrated over at Penny Arcade, but they are (mostly, in my opinion) worth the price.

Still, I should go forward and mention what Real ID is supposed to offer, quoting for truth and such.

Soon, World of Warcraft players will have access to a brand-new feature called Real ID, a completely voluntary and optional level of identity that will keep players connected across all of Battle.net.

When you and a friend mutually agree to become Real ID friends, you’ll have access to a number of additional features that will enrich your social gaming experience in new and exciting ways:

-Real Names for Friends: Your Real ID friends will appear under their real-life names on your friends list, when chatting, communicating in-game, or viewing a character’s profile. Real ID friends can also see who’s on each other’s Real ID friends list, making it easy for players to connect with other people they know.

-Cross-Realm and Cross-Game Chat: With Real ID, friends can chat cross-realm and cross-faction in World of Warcraft, and will be able to chat across future Blizzard games such as StarCraft II.

-Rich Presence: See additional info on your friends list about what your Real ID friends are up to in World of Warcraft and upcoming games like StarCraft II in real time.

-Broadcasts: Broadcast a short status message for all of your Real ID friends to see, whether you want to issue a call-to-arms or let your friends know about an important change of plans.

-Friend Once, See All Characters: Real ID friends will automatically see all of each other’s characters on their friends list – even characters created in future Blizzard games – helping players stay connected with the people they enjoy playing with most.

A nice feature set.  An attempt to go beyond what SOE has done with their Station Launcher friend’s list.

Of course, I should mention that they opened this up with a salutation that included my real name.

But why should I care about that, about using my real name?

I must admit is, in an odd turn for a blogger, that I do value my privacy and the privacy of my family.  And I care all the more so while involved in a job search.  Being a gamer carries a stigma which may not endear you to prospective employers, especially in a state where the unemployment rate is around 12%.

And it isn’t even that I write anything about which I would be ashamed.  My mother reads my blog.

But given a choice between equally qualified candidates, somebody who blogs about online gaming is likely to lose out. (It might help me with that SOE QA Manager position for which I applied.  Then again, it might not.  Wasn’t I just bagging on SOE marketing the other day?  Oops.)

So I get a bit squeamish when Blizzard starts talking about using my real name in the game in any way, and all the more so because I see the value in what they are offering.  Blizzard says, in the Real ID FAQ:

Real ID is a system designed to be used with people you know and trust in real life — friends, co-workers and family — though it’s ultimately up to you to determine who you wish to interact with in this fashion.

And certainly I wouldn’t share my Real ID with anybody I did not trust or know in real life, but this rings of the classic “drink responsibly” sort of message.  Who knows how this is going to develop.  Will people start exchanging IDs casually in game?  Will raiding guilds start demanding Real IDs from members?

I am going to watch this feature carefully.  Right now there are less than ten people with whom I would consider sharing Real IDs, and even then I like to have a secret alt or two stashed away for when I just want to run around solo and not seem like I am snubbing anybody.

Everything Blizzard offers has a price, but I’m not sure I’m ready to pay for this one.

And I am certainly not enabling this feature on my daughter’s account!

Blizzard Compromises Parental Control Security

Or such is my view of the recent changes they have made.

For previously, parental controls were a simple thing.

They were an option off of the account management page and thus secure behind the account login, which in the case of our household, includes a Blizzard Authenticator.

Roll Stock Authenticator Footage

Once in to the parental controls page, all sorts of options were available for controlling your child’s play time.

And all of this was kept from the child by a simple password.

My daughter would go log into the page and all I would have to do is make the changes, or review the changes she made (and often correct them to align with what I had agreed to allow), then type in the password and click accept.

The flaw in the system appeared to be the password.  I chose a password that was both complex enough to be secure, but one that both my wife and myself would remember.  And we keep tight enough rein on my daughter’s WoW account that we end up typing it in a couple of times a week, thus refreshing our memory.

Then came the email from Blizzard.

Dear World of Warcraft Parental Controls user,

We’re writing to let you know that World of Warcraft Parental Controls are now managed through our Battle.net Parental Controls system: http://us.battle.net/parents/.

This email is your new key to accessing Parental Controls for your children. Any time you want to make changes, simply click the link under the name of the child below:

[Account and URL Withheld]

Your previous World of Warcraft Parental Controls settings for the accounts above have been automatically transferred to Battle.net Parental Controls, so unless you’d like to make changes or explore the new tools, you do not need to take any action at this time. Be sure to hang on to this email for quick access to managing your Parental Controls settings in the future.

Battle.net’s Parental Controls features include:

– NEW! No more Parental Controls password to remember – just use this email as your key.
– NEW! Permit a child to use Real ID, an optional social-networking feature that allows players to interact and communicate using their real names. (Learn more about Real ID: http://us.battle.net/realid/)
– Set daily or weekly limits on the number of hours your child is allowed to play World of Warcraft.
– Create a custom World of Warcraft play schedule, or select from pre-set schedules such as “weekends only.”
– Receive weekly World of Warcraft play-time reports via email.
– Manage access to in-game voice chat for World of Warcraft.
– COMING SOON! The ability to manage future Blizzard Entertainment games such as StarCraft II, as well as additional access to Battle.net’s upcoming social features. We’ll share more info with you about these features as they become available.

For information on or assistance with Battle.net Parental Controls, visit the Parental Controls FAQ (http://us.blizzard.com/support/article.xml?locale=en_US&tag=PCFAQ) or contact our Sales, Billing & Account Services team: https://us.blizzard.com/support/webform.xml?rhtml=y&locale=en_US.


The Battle.net Team

I initially ignored this email thinking that it was yet another phishing attempt.  Right, I’m going to click on a URL in an email from “Blizzard Entertainment.”

But then my daughter came to me asking to play for a bit, since the Midsummer Fire Festival was kicking off, and we noticed that the parental controls were missing from their usual location.

I went back, dug the one of two non-phishing attempts from Blizzard Entertainment out of my spam folder, and read the above.

So instead of easy access via account management, controlled by a password, I now have to keep a hella long URL handy if I want to make any changes.

I realize that some people are bad with passwords and that having held a job where I had to have 6 different passwords to do my job daily, each of which had to be changed every 45 to 90 days, might have trained me better than most in the fine art of mental password management (the company had heard of LDAP, but wasn’t really convinced it was time to jump on that bandwagon yet), but still.  This was one stinking password with almost no restrictions requiring special characters, numbers, capital letters, punctuation, or Chinese pictograms.

But no, passwords get forgotten and and I am sure that yields calls to Blizzard support, and support calls cost money.

So now I have a much less secure solution to the problem of parental controls.  Passwords may be as breakable, or much more breakable than the hella long URL Blizzard sent me, but at least the password entry made you go through the Blizzard Authenticator.  I bought into your security paradigm and this is how I get treated Blizzard?

Meanwhile, the URL is in a normal web mail account, the password for which can be phished for as easily as an account password.  And even if I copy the URL elsewhere, if you know that email address, you can just go to the parental controls page, type it in, and they’ll send you a fresh URL that will invalidate the old one.

All of this for access to a page that will let you lock people out of their account.  How does that scenario sound familiar?

Right, somebody gets the password to that email account, changes it, requests a new parental control URL, turns off all access to the account and there you go.

And you can say, “Well, be more careful with your email account,” but this sort of thing happens to people much wiser in the ways of security than myself.

Then there is the kick in the teeth following the boot in the groin, which is that this new setup is less convenient for our family.

Previously, my wife and I both knew the password, so either of us could manage our daughter’s account.

Now we need that URL.

Sure, I can forward that to her (another security hole, but what the hell at this point!), but there is a catch.

The URL expires.

This was probably the bit that let this whole “bypass the authenticator” scheme get past security review.  I’ve already had to renew the URL.

But the URL gets sent to an email account that is mine.  If the URL expires when I am not available to manage the parental controls, then the controls won’t get managed.  And I could switch it to a new account that we could both share, but that would be one more account and password to remember.

All in the name of not having to remember a password.

And I’m just getting warmed up.  This whole thing is a trifecta of annoyances, the security changes just being the first.

Look for a follow up post.

Meanwhile, the net result here is that if you used the Blizzard authenticator, your account is now less secure than before.