Account security: harsh lessons from those with no class

A lot of people accessing World of WarCraft have not created their own characters.  They are playing on characters they have stolen from others, or bought from electronic "fences" on the Internet.

At the heart of this debacle are the cyberthieves.

Using black technologies they have sharpened to the hilt from a decade of hacking Windows systems for profit, they are now stomping their way through the war grounds of World of WarCraft.  Taking no prisoners but kidnapping & selling characters, their gear, and 100 or more stacks of items and untold amounts of gold from the banks of guilds these characters belong to.

This would be pointless if not for one thing.

Lazy, unprincipled people are paying money for these items.  Real world hard cash.

They have created a black market.  And where there are black markets, there are victims.

The banks of the guilds of my characters belong to on different realms have been robbed repeatedly.  Not a month goes by where one or more guild mates accounts have not been hacked, stripping them and the guild bank of hard won gear & gold.

Blizzard has responded by offering dynamic password authenticators.  This offers a measure of security but it is limited to how much it can protect by the laziness of the malware authors doing the hacking.

Turns out these professional hackers are not that lazy.  They use the same big loophole in computer security that electronic bank users use.  Once they have their malware in your computer, when you log in, they hijack it.

They turn your computer into a router for their commands.  Your computer has been authenticated for however long you are logged in.  So during that time, they can get it to do things making it look like you did them.

They can do a lot of damage to your characters and your guild in that way.  Of course, without any Authenticator, once your computer is infected they can do things to your account 24x7, even while you are sleeping and your computer is turned off.

Recently, one of the best known players in the game of WoW, Kaliope had her WoW account hacked.  She was not too thrilled about this.  She even waited a while to blog about it.

People may argue she should have done this or done that.  Guess what?  She did all those things.

1. She had an Authenticator for her WoW account.
2. She had antivirus software that was up to date on her computer.

The malware ran right past the antivirus software without the software noticing it. Even after she diagnosed the problem, she was unable to get the scanner to notice the malware.  It simply did not notice.  For a half decade Windows antivirus corporations have been shouting into the ether that Mac owners and Apple had a "false sense of security".  Perhaps, instead, it is these antivirus companies and their customers who have a false sense of security.  Because they are the ones with the computers and accounts that get hacked.

What was the solution that Kaliope chose?  Well, she could have done nothing.  However, instead she decided o do something to deny the hackers their chance to gloat.  She bought a Mac.

Now the antivirus companies are not gloating either.  They are standing on the side of a road being used as a highway for an exodus, selling lemonade that tastes not so sweet anymore.

Is stealing WoW items a crime.  Heck, yes.  The sole exception would be if two children shared the same account, and that practice is expressly forbidden by the World of Warcraft license agreement and terms of use document.  Two children cannot share the same account, period.  A parent and their own child can, but not two children.

I heard of at least 2 or 3 cases first hand where a child in our guild got all their items stolen and vended by a brother or sibling.  We also had an entire guild robbed years ago by a ninja who blamed it on his brother, though we doubt that.

WoW items are not taxed, accounted for nor reported.  However, the people buying and selling them are using them as if they should be - but are not doing it.  So probably this is a special sort of crime, in addition to theft, unauthorized access to computers, installing malware, violating privacy laws for the USA & California, interstate commerce laws, etc.

The US recently charged a Ukrainian with serious computer hacking crimes revolving around fake antivirus software called scareware.  It scares you into buying it, locks down your computer to prevent you from doing virtually anything with it, and then extorts money from you.  Violates a whole slew of laws.

Hopefully, by this time next year, he will be spending time in the US prison system.  With luck, so will the people doing this hacking.  In the meantime, do not use Internet Explorer if you play WoW or have a real bank account or e-commerce account.

Good software and bad for WoW users this week

Blizzard is getting ready this week to serve us up an small update to the WoW game itself.  The update includes the Ruby Sanctum dungeon instance.

They also had a treat for those of us with Apple handheld devices:  Mobile Auction House.

The beta for the mobile auction house is over. To use it now you need to pay a small monthly fee.  The fee is separate and in addition to your fees for playing the game itself.

There was also a warning of bad software out there.

As many computer users know by now, Adobe web plugins have a lot of problems.  Chronic problems.  Adobe keeps addressing them with patches but hackers just go and find some more that they have missed.

All of their programs suffer from creeping featuritis.

Take Adobe Acrobat, for example.  While the original idea of having documents look and print the same on all computers was noble and really a necessity, Adobe could not leave well enough alone.

They had to jazz it up with the ability to embed JavaScripts, do electronic forms, embed the documents in web pages, and so forth.  What features to hackers find and exploit bugs in?  Those very features, a lot of the time.

Which just goes to show my point: Adobe products suffer from creeping featuritis. If they had not put unnecessary features in, then they would have fewer bugs and when they find out that criminals are actively exploiting them all oer the web, they could fix them in less than a month!

Last week Adobe announced hackers were exploiting bugs in their web based/related programs:  Flash, Adobe Acrobat Reader plugin and the Adobe Acrobat application.  Blizzard has announced that this poses a risk to WoW game players.  Adobe's mistakes could be used to steal WoW account passwords.

This is not the first time Blizzard has had to make such an announcement to its users on Adobe's behalf.  In fact, I have lost count of how many times this has happened. That is why I block Flash content.

The other thing hackers are doing is luring people to counterfeit sites with a sponsored (meaning "paid for") advertisements in Google ads.

You expect to get taken to the popular Curse site for downloading free WoW addons.  Of course they are free, Blizzard will not allow anybody to charge money for them.

Unfortunately, the addons on the fake Curse web site refeered to in this article contain malware added into them that will steal your wow account password.

Blizzard is frenetically touting their two phase authenticator. However, these things do not work as well as you would think. They are far from ironclad protection.

For one thing, malware these days beats those two way authenticators, which are only designed to block over the wire eavesdropping, not spyware.

For another thing, even though the password changes every minute, once the crooks receive the notice that you have logged in they communicate to your own computer system through a back door they create on it.

At this point, your system is already connected and authenticated.  So as long as you are connected, they can do what they want via your own computer.

Here are some tips that will dramatically cut your changes of getting infected with malware and having your WoW account robbed.

• Never use IE, MSN chat, or Outlook for accessing the Internet or something that came from the Internet.
• If you have access to a Mac, use the Mac for WoW instead of your Windows computer.
• Use Flash and ad blockers like ClickToFlash (Safari), Ad Block Plus (Firefox), and NoScript (Firefox) addons in your web browser so that you massively cut the chances for hackers to silently get their claws into your system.
• Be skeptical.  Ask yourself if you really need to have or look at something, or not. Ask how you know a site or a file is what it purports to be.
• Be meticulous.  Bookmark the sites - the very pages, in fact - that you get your WoW addons from.  By always getting your downloads from the same place, which you carefully verified before using it, you save yourself time and also avoid risks of being duped by blackhat SEO tricks or miscean's web search ads.
• Remember, the game has make believe enemies but these hacker guys are part of organized crime.  They are your enemies both in the game and in real life.  For them, crime pays and it is you who is writing the check.

Both Apple and Steve Jobs, its president, recently spoke out to warn the public of the dangers of Flash in particular and the problems in general with Adobe that put computer users at risk. At the time, some staunch supporters of Adobe products reflexively derided his comments.  But the latest attacks show that he was right.

The same night, Steve Jobs made a flip comment that Google really was evil.  While that seems debatable at the moment, what it does serve as a reminder is that not everything in Google searech is safe to click on.

Google does a lot to check those pages that show up in its listings but that is far from being able to catch everything.  You have to be careful at your end too.  Use the tips I listed above.  Otherwise, you will just become criminals next victim.

This weekend, someone told me he had his WoW account broken into.  No one time but three times he had it hacked.  That goes to show you how active and persistent hackers are.  They are pros.

And they are the ones who will put the evil in everything in computers, so they can take out of them everything that is good.

Tuesday downtime, again!

It is sort of a regular tradition for Blizzard to take their servers down early each Tuesday morning.  As in today's Tuesday morning.

The downtimes come in two flavors.  Typically, it is down for the whole morning and if you are on the east coast that drags on to almost the mid afternoon.  Sometimes, you are lucky and Blizzard serves you just 15 minutes of downtime because all Blizzard wants to do is reboot each realm.

Unfortunately, today was not one of those days.  Blizzard wanted to ready their servers for a new patch.   So they took their servers down for a number of hours.

Kicking off this WoW blog

I am starting this blog to fill in the cracks and join together the information you might find scattered around in other sources, help you find those resources, and share with you some of the sort of profoundly useful things I have discovered about playing WoW.

I figure I will never be as funny as the two guys who do The Instance podcast, as connected as the guys who do the WoW Insider podcast, as knowledgeable and good at chitchat as the gal who does The Crafters Tome web site and performed the Epic Dolls podcast.  Nor will I be as skilled at playing my characters as those guys who write blogs on how to play your hunter, destruction warlock, priest, druid, or what have you.

I am more of a generalist.

I have played every character class, race, profession in the game - more than once, in fact.  The only thing I  have not done and have no plans to do is play every spec of ever class.

However, I have played more than one of most classes and all three of some classes.  Shadow & Discipline priest, Destruction & Demonology warlock, Balance & Feral druid, to name a few.

I am not a total noob.  While I have created a great number of "alts" (alternate character) as we WoW gamers say, I have done a lot more than dabble around with them.

I have two level 80 characters, five characters in their seventies, a few in their sixties, at least one in its fifties, a few in their forties, some in their thirties, their twenties, their teens, and one or two that are below ten and so they do not even show in the armory.

I am a programmer by profession too.  Or by trade, as those in the game would say.  So, down the line I might have some things about programming WoW addons.  I have already learned the basics of Lua programing and a little bit about writing addons for WoW.

I have used a decent number of addons too.  Not a lot.  I am a conservative guy plus I am running on a 1 GB of RAM computer.  It is fast but it does not have the most RAM in the world.  I use about a dozen.

They help me with routine aspects of the game mostly.  Many people use a lot of extensions for their combat user interface.  I do not.  I recently adopted Decurse so I can quickly remove debuffs from fellow teammates but that is about it.

Now that I have a couple of 80's, I need to work on my DPS because both of my 80's are damage dealers - one melee, the other spell casting.  So I will probably soon write come macros that I can apply to custom buttons for my most commonly used spell sequences.

Here is what I want to do:

• share knowledge of how other classes relate so that you can best opponents or at least stand up to them
• briefly describe 5 man party composition in terms of roles and what classes fulfill them
• explain how you and friends can help each other with your professions
• tell you what kind of professions and class specs you should avoid while leveling, especially for your first character
• tell where to find some good gear for your class(es) of character
• point out how to get some snazzy or useful items as quest rewards that you might regret missing entirely or throwing away before you realized how useful they could be
• give advice and tips for things to know, do, realize, and take advantage of when you land on a new server
• pass on some of the basics of how to earn and save gold in the game
• inform you of useful tools and options, as well as frivolous ones that make it more enjoyable
• warn you of things that will do you harm from people who mean you ill, both in game players and web privateers as well

I am not a guru of WoW.  Just a regular player, like most of you who read this blog.  I am not a genius or an expert at any one aspect or area.  I just think I can do a good job explaining how a lot of important things fit together.  Things that might seem hard to pick up at first, especially without going all over the web to find out.

Lesson one.  Blizzard's printed manual, which is also included in PDF form on the game disc and installed on your computer, by the way, is pitifully short.  It is well written and illustrated. However, in an effort to not give away two much, they have left a ton of questions every new and intermediate player soon has.  I want to give you an extra boost on top of the head start their writers gave you.

I do think you should read their manual, by the way.  There are useful tips in there.  Things to consider when picking the class your your character, your first and maybe only character, that is.  Things to watch  out for when choosing your professions.  Ways to level your character quickly by taking full advantage of the way the game intentionally works.

You do have to watch out for one thing as you play WoW and as you read advice.  WoW's designers apparently never stop their designing.  Even things that are really fundamental and you expect would never change do change in WoW.  That is part of the fun of the game, and sometimes a point of serious frustration, shock, and disappointment.

Some examples of the latter that I have experienced are:

• crafting materials that turn from whites to grays overnight, indicating their are now worthless
• having something I had just disenchanted or prospected on a ship disappear forever from the game  all by itself (this probably does not happen anymore)
• finding quests I had been working on have disappeared from the game

One of the main things about WoW which can help you is you can improve your personality a little with it.  Experiment!

• If you are shy by nature, try being more outgoing.
• If you are more critical than average, try saying more supportive and encouraging.
• If you tend to be a loner, be more of a joiner.  Go quest with someone you find nearby at the same level, or accept more of those invitations you get from guild mates or perfect strangers to go to a dungeon together.
• If you are really cautious, try experiencing some risk taking. You are not gambling with real money or property so you have little to lose and might learn something.
• If you are completely inexperienced at haggling or getting fair prices - or making a killing - in situations where goods have no fixed prices, try out the Auction House and the Trade channel.
• If you tend to swear a lot, try not doing that for a change: otherwise you could get kicked or suspended from the game.
• Be polite.  There is little alternative and only so much leeway in WoW.  Sooner or later, you will find that life is the same way.

Well, that is my charter for this blog.  I hope I can stick to it and fulfill your expectations.